Closed shmick closed 2 years ago
I can't find the source in the repo, but if you check the source of the QR Code Verifier page, you can see that it does some basic checks on the link and then makes a request itself to check the validity.
if (resultText.includes('serialNumber')) { // && resultText.includes('verifier.vaccine-ontario.ca')
const verifyUrl = resultText + '&responseType=json';
const verifyResponse = await fetch(verifyUrl);
const verifyResponseJson = await verifyResponse.json();
console.log(verifyResponseJson);
if (verifyResponseJson.result == 'valid') {
valid = true;
}
}
However, the check for the host is commented out, so someone could create a QR code to their own API endpoint that just always returns {"result": "valid"}
. But at least this another possible way to provide defense-in-depth against QR code shenanigans.
This has now been fixed - we removed valid.html entirely, and now return either success or failure directly from the validation endpoint's response. Thank you very much for letting us know about this!
A valid request to
https://verifier.vaccine-ontario.ca/verify
returns a 302 redirect to /valid.html and shows the green checkmark and Verified message.As there is no validation on the GET request for
/valid.html
anyone could make a QR code that simply links to /valid.htmlWould it be possible for the request to
/verify
to return the contents of what's already invalid.html
ornotfound.html
rather than issuing a redirect?