Digital driver’s license no longer in app stores
The ID wallet app for the digital driver’s license is no longer available for the time being. Previously there had been security problems in the infrastructure.
The App ID Wallet for the digital driver’s license was removed from the app stores shortly after it was launched. This is what the company Digital Enabling, which develops the app, explained. The app had previously been temporarily unusable. “In order to design the system for higher payloads and to follow the safety instructions, we will carry out extensive further tests in the next few weeks,” writes Digital enabling on his website. “During this time we will take the app out of the stores.”
The app was presented last week just before the general election. Shortly afterwards, various people found indications of security problems in the app’s infrastructure.
on Twitter wrote a person with the pseudonym Flüpkethat the DNS servers of Digital Enabling allowed zone transfers via the AXFR protocol and that the port was openly accessible for a MariaDB. AXFR makes it possible to read out the entire configuration of subdomains for a domain and is usually not offered publicly.
Various host names that were vulnerable to a subdomain takeover attack were visible via the AXFR protocol. Golem.de succeeded in controlling a subdomain, which was probably set up for test purposes, via a virtual machine on Azure. After these discoveries, the DNS server was temporarily unavailable, which meant that the app did not work in the meantime.
The ID wallet app should make it possible to show a driver’s license digitally and use it in car sharing applications, for example. In the long term, other documents should also be able to be shared with the same technology.
The author of the article is Hanno Böck.