Experts Find Security Holes in the Servers of the Corona Warning App

A big advantage of open source projects is that everyone has access to the code and can check it for weaknesses. Someone who does nothing else all day, as it were, is Alvaro Munoz from the GitHub Security Lab. Now the cybersecurity expert has found a security gap in the infrastructure of the Corona warning app. What sounds problematic at first is also a clear indication that the decision for an open source approach was the right one.

Vulnerability in the servers
Like GitLab or BitBucket, GitHub is a platform for version management of software projects. The GitHub Security Lab was launched about a year ago. The objective: Open source software should be made more secure.

In summer 2020, Alvaro Munoz and his team dealt with the effects of insecure usage patterns of an API for the implementation of validation mechanisms in Java applications. Several weeks later, in the VCorona-Warn-App-Server project, the experts came across the same usage patterns classified as unsafe.

The cause of the vulnerability is an insecure location in the code of the validation mechanism for user input. An interface called the Java Bean Validation API is used in the project for user input and the validation thereof. In the case of the Corona warning app, user inputs include sharing a positive test result.

As early as June 2020, Munoz described in a blog post how the insecure usage patterns can lead to a so-called RCE vulnerability in the framework used. RCE stands for Remote Code Execution. Such vulnerabilities serve as gateways for cyber attacks.

Developers reacted promptly
And the researchers also found such a weak point in the repository of the German Corona warning app server. The repository thus joined a series of projects in which the experts found what they were looking for. In the case of the Corona warning app and the servers behind it, it would have been possible to exploit the RCE vulnerability with a positive Covid-19 test. If you are interested in the exact background, you can read it on Munoz’s blog. But be careful, a little IT knowledge is essential.

On October 21, 2020, Munoz informed the responsible development team at SAP about the vulnerability in the code. The development team was able to fix the problem on October 28th. The vulnerability was finally closed on November 9th.

How exactly the vulnerability could have affected cannot be precisely said. In any case, the integrity of the Corona app was at risk. However, the experts also emphasized that there was a weakness in the backend of the Corona warning app. The data security of the mobile app was never endangered – which is also difficult because the app does not transmit any personal data other than the IP address of the devices used.

The fact that the vulnerability could be discovered and fixed so quickly makes the advantages of the open source approach clear, which was also used in the case of the Corona warning app. This would not have been possible in a closed project.