The Malaysian government has released a mobile app that is designed to verify the authenticity of digital health certificates. Called Vaccine Certificate Verifier, the latest version of the app was released just a few days before the rollout of a new update for MySejahtera that has brought together some changes to the digital vaccination certificate.
Released on 20 August, the update v1.0.43 for MySejahtera on iOS and Huawei devices includes some UI changes to the digital certificate as you can see below:
The update has also changed the QR code format of the certificate. In addition to that, it also clearly mentioned the Vaccine Certificate Verifier app for the first time:
Once you scan the new QR codes with the Vaccine Certificate Verifier app, here are the results:
Before we continue further, let’s backtrack a bit. Truth to be told, the Vaccine Certificate Verifier app did not always work like this and it is not exactly a newly released app either.
According to the version history of the iOS app, Vaccine Certificate Verifier v1.0.4 was released way back on 5 May while the latest version, v1.0.8 made its way to the depository on 18 August. When we did a background research regarding the app, it led us to a blog post published on 15 July by local developer Anonoz Chong who pointed out that a previous version of the app was nothing more than just a basic QR reader.
This is because the app which we believe is v1.0.6 would just open any QR code without performing any actual verification. Anonoz said this could be a serious security issue as someone could just create a fake certificate, host it on some server, and create a QR code that would lead the Vaccine Certificate Verifier app to the fake certificate.
He even created a 9-second proof of concept video to represent the fake certificate scenario. However, Anonoz noted that the flaw was seemingly fixed within a week after the blog post was published through an v1.0.7 update for the app.
In the Vaccine Certificate Verifier v1.0.8 app, these are the errors that were shown on the app when we scanned the previous QR code of the digital certificate as well as the fake certificate that Anonoz created for the PoC video:
Since we don’t have a certificate from there to test out, we are not able to test this claim by the developer of the app. Nevertheless, out of curiosity, we did test the new QR format in MySejahtera’s certificate with verifier apps from European countries such as Portugal, Belgium, Switzerland, and Greece.
As you can see, the number of details that each app shows are different from one another. While these EU apps certainly recognised the new QR format for Malaysia’s digital vaccine certificate, it seemed that a signature issue has rendered our certificate invalid for the time being.
This is not exactly an issue at the moment given that Malaysians are still not allowed to travel to Europe without special approval but we do hope that authorities would be able to tackle this issue before the travel restriction is lifted.
Follow us on Instagram, Facebook, Twitter or Telegram for more updates and breaking news.
