Alarming problem with Australia's Covid vaccine 'passport'

A Sydney software engineer — who managed to create a fake vaccination certificate in 10 minutes — has exposed a flaw in the Express Plus Medicare app, posing serious concerns about the future and reliability of digital vaccination certificates.

At the moment, Australians can prove their Covid-19 vaccination status by showing their immunisation history statement using the MyGovID app or Express Plus Medicare.

Prime Minister Scott Morrison said previously the government's digital vaccination certificates are a "credible and effective" way for states and territories to grant exceptions and eventually ease restrictions for vaccinated people. But now, that's been thwarted by a potential security threat.

The software engineer exposed a potential flaw in the Covid-19 digital certificate system. Source: Getty Images
The software engineer exposed a potential flaw in the Covid-19 digital certificate system. Source: Getty Images

Tighter security measures required

"Since the vaccine digital certificate launched, it’s been niggling in the back of my mind that something like this should both be difficult to forge and easily verifiable," Software engineer Richard Nelson told Yahoo News Australia, adding when he had a "few minutes" to spare one night he gave it a go.

"I got my phone out to see what kinds of mitigations there were against something like this, simply because I was curious, and to my surprise there were none," he revealed.

"I was surprised it was as easy as it was, and thought maybe I had missed something on how these “certificates” are intended to be used.

QR code would help verification

"If these are to be used for cases such as letting people into venues, they need to be more robust."

While there are other countries that use digital certificates to prove vaccination status, Australia still has some glitches to fix according to Mr Nelson.

"Other digital vaccine passports I’ve seen have QR codes displayed that make verification of them simple," he explained.

"It’s unclear why ours does not, but for anything other than showing your vaccine status off to your friends this has to have more trust than the current model."

Mr Nelson told the ABC he sent detailed instructions on how he forged the certificate to the government but has not yet heard back.

Minister for Employment, Workforce, Skills, Small and Family Business Stuart Robert, told the ABC the government has "iteratively updated proof of vaccination certificates".

"The government will continue to iteratively update the proof of vaccination certificates … including bolstering security measures," he said.

What is a Covid-19 digital vaccination certificate and how do I get it?

In Australia, people who have received both doses of a Covid-19 jab can access a digital certificate through the MyGov website, which lists their name, age and what type of vaccination they have received.

The individual's vaccine provider must report the vaccination to the Australian Immunisation Register before it will appear on the certificate.

Do you have a story tip? Email:

You can also follow us on Facebook, Instagram and Twitter and download the Yahoo News app from the App Store or Google Play.