Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Covid Check QRcode Crash App (dos) #146

Closed
kfmgang opened this issue Jul 16, 2021 · 3 comments
Closed

Covid Check QRcode Crash App (dos) #146

kfmgang opened this issue Jul 16, 2021 · 3 comments
Labels
bug Something isn't working

Comments

@kfmgang
Copy link

kfmgang commented Jul 16, 2021

Hello,

Small issue, a person could generate a QR code readable by the application (with an invalid signature), with the parameter "dn" containing the value 99999999999999999999999999999999999, the application will crashes each time the QR code is scanned, the problem is also present on Covid Cert but less problematic, indeed a possible scenario (with a bit of social engineering) is that a person creates a QR code with the payload that crashes the application and presents it to a third party (a restaurant for example), The third party can't check the validity of the certificate because the application will crashes at each scan, the third party could let the access to these services thinking that the certificate is valid and that it's a bug of the application. (Scenario maybe extreme but with a lot of chances that it works).

Only tested on IOS

Payload : { "ver": "1.0.0", "nam": { "fn": "foo", "fnt": "FOO", "gn": "bar", "gnt": "BAR" }, "dob": "2000-03-01", "v": [ { "tg": "840539006", "vp": "1119305005", "mp": "EU/1/20/1528", "ma": "ORG-100030215", "dn": 99999999999999999999999999999999999, "sd": 2, "dt": "2021302-18", "co": "AT", "is": "BMSGPK Austria", "ci": "urn:uvci:01:AT:10807843F94AEE0EE5093FBC254BD813P" } ] }

QRcode Payload : HC1:NCFOXN%TSMAHN-HNL458GI3VR%8S3I0IIC+V 43G-VC9BWH2.W7%$CML9J77D*QQHIZC4TPIFRMLNKNM8JI0EUG*%NH$RSC9$HFE1E0QV1FD/Y4J1ER6W9NT9KP-FHTNP/78LSIT7AZI9$JAYHIXGGX2M KM1GGMJCQ SA KZ*U0I1-I0*OC6H0/VMNPM Q5TM8*N9-I06H00YQK*R3T3+7A.N88J4R$F/MAITH-+R2YBV44PZBBAKO1P9-8:0L.A5R8HM*G64TQCV5RQLCUU5WY31-LH/CJ6IAACG423%B04LT HBSZ46/45/G3ZCIATULV:SNS8F-67N%21Q21$4ZW4Z*AKWIX:S:+IZW4PHBO33BC786B*E3-433QBV53XEBW77WNN+FNULJ96B4UN*97$IJV7776B3D3CZK7%2RZ4QWCS46147TMHS6ML*H:/E6 N$YPQ98ZF0HYGKZNZXVB NEHFXHV$0T2VMF%UVRC-/623WU-F*NF$:II947HAT6UPDMUIP6 4JXD-5W7GGLZQ-TEB403SRF2

qrcode

Hoping to have helped ^^

@goebelUB
Copy link
Contributor

Thanks a lot for the report.

I can reproduce the crash and the iOS team will look into it.
I also tested it on Android; there the deserialiser catches it and throws a com.squareup.moshi.JsonDataException: Expected an int but was 99999999999999999999999999999999999 at path $.v[0].dn (which we catch and propagate as a decoding error).

@kfmgang
Copy link
Author

kfmgang commented Aug 25, 2021

Just to inform you that I can't reproduce the crash on the 2.4.0 👍🏻 @goebelUB

@goebelUB
Copy link
Contributor

Thanks for confirming, and thanks again for reporting this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants