A Sydney-based software engineer has made known a suspected bug on the Express Medicare Plus app by Services Australia that could potentially enable the creation of fake digital COVID-19 vaccine certificates.

On 18 August, Richard Nelson took to Twitter an issue he found on the federal government app that made it possible for him to manipulate his own digital vaccine certificate. He also found that the app does not verify a person's vaccination data.

Since then, he reached out to the federal government agency but to no avail. He also reported the issue to the Australian Signals Directorate, the country's spy agency, who then forwarded the case to Services Australia. 

According to a news report, the agency has acknowledged Nelson's report and asked the public to inform the government about individuals who they suspect are forging their digital COVID-19 vaccine certificates.

Fully vaccinated Australians can obtain proof of their vaccination through the Medicare app, which pulls their record from the Australian Immunisation Register. They can also add their COVID-19 digital vaccine certificate to their mobile wallets.

Nelson was part of a team of independent security researchers who revealed flaws in the federal government's contact tracing app COVIDSafe. A recently published report on the app found it unhelpful in the country's pandemic response. 

THE LARGER TREND

Fake COVID-19 vaccination cards have proliferated worldwide, undermining governments' efforts to immunise their citizens. 

Most of such cases have been reported in Europe, according to research by American-Israeli cybersecurity software firm Check Point. To quell said illegal activities, the European Union is now verifying QR codes on digital vaccination cards through the EU Digital COVID Certificate gateway. 

In Asia, Malaysia recently introduced a mobile app that authenticates both printed and digital COVID-19 vaccine certificates stored in the MySejahtera contact tracing app.

Last week, Services Australia was informed of a circulating text scam that sends individuals a link to their supposed proof of COVID-19 vaccination. The agency clarified that it does not send out links for their vaccination proofs via SMS.