Hitler, Mickey Mouse and SpongeBob got COVID-19 vaccination? Valid vaccination certificates generated by hacking the European vaccination passport system

Law enforcement agencies in the European Union are investigating the theft of a private key used by health authorities to issue and sign digital COVID-19 vaccination certificates, which has been distributed in private messaging apps and hacking forums. It should be remembered that this vaccination certificate allows the inhabitants of the European community to demonstrate that they have received at least one dose of the vaccine for COVID-19 or presented a negative test and thus move freely through the member countries.

Since the beginning of this week, dozens of users of apps such as Telegram reported seeing the private key circulating in various channels and group chats. A threat actor with access to this private key could easily falsify these certificates, completely deceived by health authorities in Europe. In addition to falsifying certificates, some individuals have used this key to issue vaccination certificates for historical and fictional characters such as Adolf Hitler, Mickey Mouse, and SpongeBob.

The security specialist known as reversebrain showed that some users have successfully created these fake certificates, which are recognized as valid by Verifica C19, an application for iOS and Android that allows you to analyze a QR code to verify the validity of the certificate, also known as “Green Pass”.

Additional reports also point out that this key is available on illegal hacking forums in which some users discuss the best way to use this tool. The main interest of visitors to these forums is to create fake vaccination certificates for potential sale; some members already offer fake certificates for up to $300 USD.

At the moment it is unknown if the Verifica C19 application will be updated to detect these fraudulent certificates.

Cybersecurity agencies in several countries of the European Union have already recognized the leak of this private key and announced the launch of an investigation: “We are aware of the alleged fraudulent manipulations of the QR code of the COVID-19 Certificate of the European Union. We are closely following reports of this incident and strongly condemn this malicious act, which represents an intrusion into a sensitive and strategic area,” a joint report said.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.