A fault in North Macedonia made it possible to generate functional QR Codes in France. The overall security of the system is not, however, called into question.

Real fake health passes. Over the past few hours, several Internet users specializing in IT have been able to generate functional QR Codes in a few clicks, according to Twitter publications and testimonials collected by BFMTV, which was able to verify their compliance on the TousAntiCovid Verif application. Some QR Codes have been generated with names as fanciful as Mickey Mouse, SpongeBob SquarePants or Adolf Hitler.

The creation of these health passes was first reported by the Swiss media Heidi.news, which raised the possibility of a flaw in the electronic signature process for health passes, which is essential for them to be authenticated.

Since the arrival of the European health pass, this digital “stamp” has been generated in the same way in all the countries of the European Union (EU). In other words: if the electronic signature process of one of the countries were to be hacked, the generated QR Codes would then be valid throughout the EU.

A fault in North Macedonia

According to information from BFMTV, nothing indicates for the moment the existence of a flaw in the electronic signature process. As stated by two Internet users who were able to generate health passes recognized as valid by verification applications, the flaw is located in servers based in North Macedonia. The country is not part of the EU, but its health pass has been recognized there since August.





For reasons still unknown, a Web page dedicated to the creation of official QR Codes was, for several hours, accessible to all. Allowing the creation of valid health passes with any name (existing or not), any vaccine, with any number of doses between 1 and 9 and from any country in the EU.

“The problem is that the health authority has left a publicly accessible server that signs everything asked without verifying anything. This is quite similar to fake QR Codes that would have been generated by hacking into the account of a pharmacist or a doctor, except that this is at the level of the QR Code generation service rather than at the level of the health professional “, explains Gaëtan Leurent, researcher specializing in cybersecurity at INRIA.

“This is not a technical flaw, but it shows the organizational limits of the European covid certificate” remarks Bastien Le Querrec, member of the association La Quadrature du Net.

Asked by BFMTV, the State Secretariat for Digital has not yet communicated on the subject. Still according to the experts who were able to access the platform, it has now been deactivated and can no longer generate QR Codes.

In addition, and as BFMTV was able to verify, the codes already generated – including those in the name of Adolf Hitler, Mickey Mouse or SpongeBob – have been revoked and are reported as fraudulent on the TousAntiCovid Verif application. The consequences of this incident could therefore prove to be limited.