More than 136,000 test results were therefore freely available, with one prerequisite: An online account with the Viennese company medicus.ai was required for access, which provides test centers with software for booking appointments and for issuing an online test certificate. This account is often required to pre-register for a test. In other words: at least all customers of the test centers concerned could have seen the results of all others.
Because the test result was displayed on the website of the respective test center and also offered for download as a PDF. The members of »Zerforschung« discovered that the request to download the PDF file to the address /api/web/v1/results/export-patient-specific-result-file?report_id=12345 was sent. They found that they only had to change the last number to see other people’s results and data. Medicus.ai had obviously used sequential numbers instead of random numbers that were difficult to guess.
Test certificates can be issued for any name
This made the date and time of the sampling, test results, but also the names, addresses, dates of birth, mobile phone numbers and e-mail addresses of those affected accessible. Passport or ID numbers could also be found in fields that were filled in voluntarily, as well as information on a different whereabouts in the next two weeks.
Linus Neumann, one of the CCC spokesmen, told SPIEGEL: “The ID number really brings together all the data for a nice identity theft.”
This affects customers of 21dx, which describes itself as the “largest operator of corona test stations in Germany and operator of a vaccination center and mobile vaccination team in the fight against the pandemic” and operates in Berlin, among other places. According to the CCC, test centers in public institutions in Berlin, Munich and Carinthia as well as permanent and temporary test stations in companies, schools and daycare centers were also affected.
In addition, the experts from »Zerforschung« found out that they could have changed the names and addresses on the findings themselves and thus issued negative test certificates for anyone.
“These types of vulnerabilities are a classic”
“Zerforschung” and the CCC have informed the Federal Office for Information Security (BSI), the Federal Data Protection Officer and the responsible state data protection officer about the weak points. “This type of vulnerability is a classic that is warned about again and again,” says Linus Neumann: “Anyone who even remotely deals with IT security simply does not make such mistakes.”
Medicus.ai said it fixed the weaknesses “within a few hours” after the company was contacted by the BSI. According to the RBB, she had initially only spoken of six people “who were affected by this loophole”. She later increased the number to theoretically 5,774 test results “because there were just as many inquiries about the system in the period in which the gap existed.” Because measures were taken to prevent mass queries, nobody could have called up all 136,000 results at once.
In a statement published on Thursday medicus.ai stated that it could be confirmed that “only the data sets of six users were affected”. On March 11, the company was informed by the BSI. “The causal error” had “got into the software through an update”.
In an email to SPIEGEL, medicus.ai wrote that the bug was introduced on February 14 through an “unfortunate software bug” (original: “unfortunate bug”).
The company also claims to have informed affected customers (test centers) immediately and again after the end of the examinations. They in turn confirmed that they had made all affected users aware of the incident. The CCC cannot confirm this: “However, we did not receive any such message for test results from friends who we accessed with their permission and exploited the vulnerability.”