search

billylo1 / covidpass

Web app for adding Ontario vaccination records to Apple Wallet (forked from covidpass in EU)
https://grassroots.vaccine-ontario.ca
MIT License
79 stars 12 forks source link

Call to /valid.html is not validated #14

Closed shmick closed 2 years ago

shmick commented 2 years ago

A valid request to https://verifier.vaccine-ontario.ca/verify returns a 302 redirect to /valid.html and shows the green checkmark and Verified message.

As there is no validation on the GET request for /valid.html anyone could make a QR code that simply links to /valid.html

Would it be possible for the request to /verify to return the contents of what's already invalid.html or notfound.html rather than issuing a redirect?

Gibstick commented 2 years ago

I can't find the source in the repo, but if you check the source of the QR Code Verifier page, you can see that it does some basic checks on the link and then makes a request itself to check the validity. 

                   if (resultText.includes('serialNumber')) {                      //  && resultText.includes('verifier.vaccine-ontario.ca')
                        const verifyUrl = resultText + '&responseType=json';
                        const verifyResponse = await fetch(verifyUrl);
                        const verifyResponseJson = await verifyResponse.json();
                        console.log(verifyResponseJson);
                        if (verifyResponseJson.result == 'valid') {
                            valid = true;
                        }
                    }

However, the check for the host is commented out, so someone could create a QR code to their own API endpoint that just always returns {"result": "valid"}. But at least this another possible way to provide defense-in-depth against QR code shenanigans.

straxus commented 2 years ago

This has now been fixed - we removed valid.html entirely, and now return either success or failure directly from the validation endpoint's response. Thank you very much for letting us know about this!