Serious flaw in eHranica form: attackers able to send people into self-isolation

Ethical hackers from the Nethemba company uncovers two serious flaws in state systems, the second concerning EU vaccination.

Illustrative stock photoIllustrative stock photo (Source: Pixabay)

Hackers had the chance to send people into self-isolation or acquire the EU Digital Covid Certificate of a specific person by only discovering how to generate their birth number (rodné číslo in Slovak).

SkryťTurn off ads
Article continues after video advertisement
SkryťTurn off ads
Article continues after video advertisement

These two gaps in the state-run systems were recently uncovered by ethical hackers from the Nethemba company, which claimed that the National Health Information Centre (NCZI) has failed to protect the personal data of millions of people.

“We identified a way to receive the EU vaccination of everybody who has been inoculated – to demonstrate this, we acquired the certificates of prominent politicians,” the company wrote on its website. “All we needed was their name and birth date, which can be found on Wikipedia.”

SkryťTurn off ads

The company reported the problems to the state in late July. In about a week, both flaws were corrected, the Živé.aktuality.sk website reported.

Still, it is not the first time NCZI has faced criticism over its systems. Nethemba pointed to the risk of a personal information leak from the Moje eZdravie app in September 2020.

Problems with birth numbers

One problem concerned the verification of birth numbers (rodné číslo in Slovak).

As there is a pattern to generate the birth numbers based on the sex and birth name of a person, the hackers came up with a group of potential birth numbers. They verified the numbers through a special service run by the Health Care Surveillance Authority (ÚDZS), which makes it possible to discover whether the person has a valid health insurance. If the birth number does not exist, the system reports an error.

SkryťTurn off ads
UPDATED: Coronavirus app reveals personal data, IT security firm found Read more 

Originally, it was possible to type in the name of a person to link the number with him or her, but this possibility was scrapped from August 6. However, the service itself continues to run, meaning that it is still possible to find out whether a specific birth number exists, Živé.aktuality.sk reported.

Manipulating the eHranica form

Under currently valid rules, anyone coming to Slovakia from abroad has to fill in the eHranica online form.

The form is linked to the system run by NCZI, where it stores information concerning the pandemic, such as on testing or vaccination.

The person is required to fill in personal data, which is subsequently linked with other data in the NCZI system. However, the contact data registered during testing or vaccination is always rewritten in the NCZI database if filled in the eHranica form.

In this way, an email address or a phone number can be changed without sending any notification to the person about the change.

This means a potential attacker can register the person with a different email address or a phone number, and then receive all confirmations and verification codes. The victim has no way of finding out the problem, unless they registered through eHranica with the correct contact data.

Moreover, the person registered by the hackers could have been restricted in movement by currently valid quarantine rules even if he/she did not travel anywhere.

Obtaining vaccination certificates

North Koreans and Russians. How did hackers target Slovakia? Read more 

The eHranica problem also made it possible for potential attackers to obtain access to details on testing and vaccination. If they know the name of a person and their birth number, they automatically receive a personal Covid-19 pass to the registered email or phone number.

This personal Covid-19 pass can be used in other systems run by NCZI, including a system generating the EU Digital Covid Certificates, which contain information on Covid recovery, testing or vaccination.

This EU pass could be potentially downloaded by the attacker and used where it serves as an entry requirement.

Though the flaw was corrected in early August, Nethemba is asking to scrap the eHranica app altogether.

Top stories

Slovakia marks 20 years since joining NATO.

Slovakia marks 20 years in the Alliance.


Daniel Hoťka and 1 more
Píšem or pišám?

"Do ľava," (to the left) I yelled, "Nie, do prava" (no, to the right), I gasped. "Dolšie," I screamed. "Nie, nie, horšie..." My Slovak girlfriend collapsed in laughter. Was it something I said?


Matthew J. Reynolds
Czech biochemist Jan Konvalinka.

Jan Konvalinka was expecting a pandemic before Covid-19 came along.


SkryťClose ad