The database of QR codes of vaccinated Russians from the STOP Coronavirus Public Services application appeared on one of the forums on the dark web. This is reported by the telegram channel «Information Leaks».
In the sample data, the message says, 10 thousand lines.
The table contains the first letters of the last name, first name and patronymic of the grafted person in Russian and English, date of birth, UNRZ, the first two digits of the series, and the last three digits of the passport number, the name of the vaccine in English and Russian, as well as a QR code in PNG format and its validity period.
The seller claims that the database contains 48 million rows, the cost of the table is $100,000.
According to the authors of the telegram channel, «selective verification» showed that QR codes from the database are valid, leading to «Gosuslugi» and match the code from the official page for checking QR codes.
Mediazona discovered a vulnerability on the Gosuslug website that could cause a leak six months ago, in August 2021.
< blockquote class="twitter-tweet">
a little about the safety of our data in the hands of the state (thread)
Last summer, @Zforever and I were looking into the COVID registry, and we were horrified to discover that the data from vaccination certificates just sticks out.
— Litavrin (@litavrinm) January 25, 2022
The editors noticed that one of the old links for checking the validity of vaccination certificates allows you to disclose his data without authorization. The certificate number consists of 16 digits — 9, the region number and the UNRZ number, which is generated sequentially for each vaccinated.
By substituting the UNRZ number into this link and selecting the region number, it was possible to obtain information about each person vaccinated in Russia.
Mediazona reported the problem and described the vulnerability in detail to Rostelecom, and also sent the information to the press service Mintsifra, but did not receive a response. As early as December 15, the vulnerability had not been fixed. Now it is no longer possible to use it.
According to the press service of the Ministry of Digital Development, the department has already begun checking the message about the leak. There is no threat to the security of personal data of users of the STOP Coronavirus Public Services application, the ministry assured. -cite__image» alt=»1″ />What the QR code hides. There are 29 million entries in the coronavirus registry of the Ministry of Health, five times more than the official number of cases in Russia
Updated at 22:53. Comment added by Mintsifra.