Corona test results from more than 80,000 people were unprotected online for weeks. The reason was a massive security gap in an IT solution that is used by more than 150 test centers in Germany and Austria.

Anyone who does a corona test must assume that the result will be transmitted to the responsible health department due to the applicable reporting obligation becomes. In the case of 136,000 test results, the data was not only sent to the authorities, but could at least theoretically be accessed by anyone via the Internet. This was the result of an investigation by the security collective Zerforschung and the Chaos Computer Club (CCC).

In addition to the actual test result Further personal data of the test persons could also be called up without access protection. This included the name, place of residence, date of birth, citizenship as well as telephone number and e-mail address. At least in some cases, the ID or passport number of the person concerned was apparently stored in the data.

The error was the responsibility of the Safeplay software, which was developed by the Viennese company Medicus AI. The software serves as a complete solution for test centers and covers the entire test operation from the allocation of appointments to the creation of test certificates. According to the Süddeutsche Zeitung, Safeplay is used by more than 150 test centers and mobile test teams in Germany and Austria.

According to the CCC, test results from public test centers in Berlin, Munich and Carinthia were affected by the security gap. In addition, data from temporary test stations in schools, daycare centers and companies are also said to have been affected. Zerforschung and the CCC have shared their findings with the responsible Federal Office for Information Security. The manufacturer Medicus AI has now fixed the security gap and stated that the error arose during a software update in February.

More than a data leak: Corona test data could be manipulated will

According to Zerforschung, it was possible to add your own data retrospectively using the software solution to change. The name could not be changed via the website provided for this purpose, but it could be changed via a direct request to the interface used. In this way, a further test result could be called up as a PDF for a new name and address. Those who were tested could have created and printed out evidence of a negative test for any number of other people.

In addition, Medicus provides AI provides users of the software with a dashboard that can be used to call up statistics on the corona tests carried out. According to Zerforschung, it was apparently also possible to log on to this statistics page with the login data given to test persons, although the website is clearly intended for the operators of the test centers. Test periods could be defined down to the second using the dashboard. If you are from a test center and remember the time of another person’s test, you would theoretically have the opportunity to query this exact period and thus find out the result.

The dashboard apparently also made it possible to call up statistics for individual test centers. Since the software was also used by companies, it could be found out, for example, how many employees of a company were tested positive.

CCC speaks of Negligence of the software manufacturer

“This is not the first and certainly not the last Security gap in hastily tinkered Corona IT, ”says CCC spokesman Linus Neumann. “If catastrophic beginner mistakes happen with such simple tasks, those responsible should do their homework first. Instead, next, several million euros will be sunk for questionable blockchain vaccination certificates, “says Neumann, alluding to the award of the contract to an IBM-led consortium to create a digital vaccination certificate.

Also interesting: Corona self-tests at Aldi: useless certificates and data leak

You might also be interested in