FHIR Chat · Lessons to learn · Security and Privacy

Stream: Security and Privacy

Topic: Lessons to learn

view this post on Zulip John Moehrke (Jul 08 2021 at 11:34):

Here is a security hole found in the Spanish COVID Vaccine Credential system that exposes personal demographics (might be more). Likely because there is no access control check if you are providing an id. Creative use of an API must always be considered in a system design.
https://www.eldiario.es/tecnologia/fallo-web-sanidad-madrid-deja-descubierto-datos-rey-miles-personas_1_8114359.html

view this post on Zulip Josh Mandel (Jul 09 2021 at 00:55):

These kinds of mistakes are particularly likely when organizations rush a service to production (e.g., to meet a regulatory deadline that comes into effect without sufficient time for careful implementation).

I'm not even sure this is creative use of the api; more like an oversight in access control.

view this post on Zulip John Moehrke (Jul 09 2021 at 11:47):

my use of "creative" was in humor. A system must be designed to do the right thing regardless of client creativeness. Hackers are 'creative'.

view this post on Zulip Josh Mandel (Jul 09 2021 at 15:15):

Sure thing. My main point is that this system was apparently not protected at all, and just configured to return any data to anyone. There are lots of complex failure modes for security systems, but this sounds like a dead simple one.

view this post on Zulip John Moehrke (Jul 09 2021 at 15:53):

My understanding is that the normal use was through a Search api, and that filtered out the patient name... But this was a GET api, that they never guessed someone would figure out how to put in id values.

view this post on Zulip Josh Mandel (Jul 09 2021 at 17:53):

Yeah -- that's saying there's an entirely unprotected API endpoint. This isn't an obscure or subtle "miss". It's... an open database hosted on the web.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -