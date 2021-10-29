Adolf Hitler, Mickey Mouse and SpongeBob SquarePants have one thing in common: they have benefited from a European health pass valid for a few hours. As reported by the Swiss media Heidi News, fake Covid-19 certificates have been circulating since Wednesday, October 27 on the Internet and instant messaging applications. The Swiss media had the opportunity to check their validity on the country’s Covid Certificate Check application, just like BFM TV who was able to verify their compliance on the TousAntiCovid application.

Still according to the French media, the fault would be located at the level of servers based in North Macedonia, and several web pages dedicated to the creation of these QR codes were accessible to all for several days, allowing anyone to produce fake certificates with any name. It was possible to fill in all the vaccination elements: type of vaccine, number of doses received, age and identity of the recipient.





The health passes created from these sites are now invalid. It seems that the public key coming from Macedonia, and therefore used for the generation of certificates, has been modified to put an end to this fraud. You should know that each organization authorized to issue health passes generates a private key and a public key associated with this private key. But it could be that public keys of other countries have also been compromised since some false certificates would come from Poland or France, all of which appeared around the same time.

“We have seen that some of the keys used to generate the European Green Pass certificates have probably been stolen., comments Giampaolo Dedola, security expert at Kaspersky. As a result, we discovered messages online offering to generate valid Covid-19 vaccination passes. […] Further analysis of two sample QR codes shows that the keys used to sign the certificates are linked to organizations based in France and Poland. In addition, when tested by official applications, these codes are considered valid. ”

According to experts, the compromise of these public keys is not the result of computer attacks, but of negligence. But while waiting for an official communication on these facts, only assumptions are allowed. The Secretary of State for Digital did not respond to requests from BFM TV.