German COVID-19 Contact-Tracing Vulnerability Allowed RCE

2020-11-19 21:34

A security vulnerability in the infrastructure underlying Germany's official COVID-19 contact-tracing app, called the Corona-Warn-App, would have allowed pre-authenticated remote code execution.

Researcher Alvaro Muñoz wrote in a report this week that he and his team at GitHub Security Lab was chasing down RCE vulnerabilities on the platform and found one in the infrastructure supporting CWA for Android and OS. The team said it worked with SAP to mitigate the issue, adding as a server-side issue, the mobile apps themselves were not impacted, and that no data was collected beyond a device's IP address.

"There appeared to be a pre-authentication RCE vulnerability in Corona-Warn-App Server, which drives Germany's COVID-19 contact-tracing application infrastructure," according to Muñoz.

"The app informs us if we have had contact with a person diagnosed with COVID-19," according to the CWA site.

In Sept., the nonprofit Electronic Frontier Foundation warned about the possible implications of contact tracing apps to be used to stifle free speech protections, specifically calling out California's lack of privacy considerations in developing a tracing app for the state.

News URL

https://threatpost.com/german-covid-19-contact-tracing-vulnerability-rce/161419/

#covid19 #german #RCE #vulnerability

News URL

Related news