Security News > 2021 > October > UPDATE: EU’s Green Pass Vaccination ID Private Key Leaked or Forged

UPDATE: EU’s Green Pass Vaccination ID Private Key Leaked or Forged
2021-10-28 15:34

As of Thursday morning Eastern time, Adolf Hitler and Mickey Mouse could still validate their digital Covid passes, SpongeBob Squarepants was out of luck, and the European Union was investigating a leak of the private key used to sign the EU's Green Pass vaccine passports.

On Wednesday, the Italian news agency ANSA reported that several underground vendors were selling passes signed with the stolen key on the Dark Web, and that the EU had called "Several high-level meetings" to investigate whether the theft was an isolated incident.

The private key used to verify Hitler's pass was reportedly revoked as of Wednesday, but there were multiple reports of working certificates still being sold online.

"On various groups are circulating several forged Green Pass with valid signature." -Emanuele Laface's Oct. 26 GitHub post.

Rather, it could be that a database of private keys was compromised: a possibility that "May [end] up in a break of the chain of trust in the Green Pass architecture," they noted.

Threatpost reached out to the European Commission and some EU CERT agencies for an update on investigations into the key leak and will update this story when we hear back.


News URL

https://threatpost.com/eus-green-pass-vaccination-id-private-key-leaked/175857/