Serious security flaw in eHranica, Slovak data are in danger

Hacking attacks are nothing special today. Their main goal is mostly to make money, although it may not seem so at first glance. They go indirectly. It is worth mentioning, for example, the recent case from the USA, where attackers managed to steal the personal data of approximately 100 million users of T-Mobile’s services. Our Slovak eHranica could also face an unpleasant problem. The web portal Živé.sk informs about it.

Ethical hackers have detected errors in the eHranica system and informed the competent authorities about it

Errors in the system were discovered by ethical hackers from Nethemba. They allegedly managed to find two vulnerabilities of a more serious nature. The attacker is said to be able to send anyone to domestic quarantine for a 14-day period, or is allowed to obtain an EU Digital COVID card from virtually anyone. Ethical hackers have reported problems and fortunately the bugs are fixed. They further claim that they managed to obtain vaccination cards from politicians. All they needed was data that is publicly available on Wikipedia.

Vulnerability number one is considered to be the possibility to verify the authenticity of any birth number. Thus, it was possible to obtain and subsequently verify the birth number of any registered person. Just know your name, surname and date of birth. This data can also be obtained, for example, on a social network, where the user is used to publishing it. The next process is already a bit complicated, but with a little effort it would be possible to obtain the entire birth number of the objector.

The holes allowed the change of personal data or the acquisition of sensitive information

The second potential danger was directly related to the electronic system eHranica. It is a system in which it is obligatory to register every time you arrive from abroad. Ethical hackers have found the wrong connection between eHranica and the NCZI system, which records all the information associated with a pandemic.

We are talking about individuals who, for example, have passed a test. Their test results as well as vaccination data have been stored on this site. Filling in the form via eHranica only updates the database for contact details, which also applies to logging in to the NCZI. In this way, it was possible to easily change the contact details entered, for example, during registration for testing or vaccination. In addition, the person concerned would not even receive any notification of a change in the system.

In practice, in the end, anyone could upload a foreign certificate to their mobile phone via the Greenpass application. It is also worth mentioning the fact that it is similarly possible to find out whether a person who publicly opposes vaccination has not been vaccinated in “secrecy”. Holes in the system could have brought other potential dangers, but those mentioned by us were among the most risky.