An example of a digital Covid-19 vaccination certificate containing a QR code. Photo / RNZ
Yesterday the government released My Covid Record, a web app which by the end of the year will allow people to store their vaccine certificates and Covid test results.
Currently, the app only lets people have access to their vaccination records.
IT security expert Daniel Ayers said the web app was using software that was known to have security flaws and people's information could be at risk.
Users can use their RealMe to create an account for the app or sign up with their email, ID, and National Health Index Number.
Ayers tested the web app on various security testing sites which highlighted "medium-risks", or gaps in cyber-security, and gave a D rating.
He said it was unacceptable.
"This is a health system, you'd expect it to be all spick and span, nicely set up and secure, but it's not. This is a site that most, if not all of the population of New Zealand is going to have to use because it's how we get our vaccination certificates," he said.
The testing suggested outdated software, jQuery, is being used for the app, which has been known to have at least two security flaws since April last year.
Ayers said it was concerning the app had made it through the development process without red flags such as these being noticed.
"The thing that concerns me is not so much that it's got medium-level security problems, they're not necessarily catastrophic. I think the issue is, what do we conclude from the fact that this newly launched website has any security flaws in it?
"That's not what you'd expect from a government website that holds health information, and it's not good enough."
Ayers also questioned what quality assurance testing had been done for the website, seeing as he was able to identify issues with the site so quickly.
However, Ministry of Health group manager of national digital services Michael Dreyer told Morning Report there was nothing to worry about.
"It is absolutely safe, my job is to keep New Zealanders' health information private and secure, we take this pretty seriously we've put a lot of time into building this and we run rigorous security checks."
Dreyer said the software had been "crawled all over" by several security partner firms.
After reading a report on Ayers' concerns, Dreyer assured the issues pointed out were "very low risk".
"We've had this thing penetration tested a number of times and we've had it reviewed externally by a number of parties.
"We do run a process called 'responsible disclosure' where members of the public or security experts who choose to have a look into these things can go on to our website and provide information where they feel there are gaps, our teams obviously have a look at that and engage with those people and work through any issues they find."
Dreyer said they would take the website down if there were aware of any privacy or security issues.
"We use very modern cloud software platforms and we are constantly checking, upgrading, patching, keeping ahead of these things you know it's something we do every day so we're always chasing on that."
He said his team could work with Ayers to understand his concerns but currently, there was nothing wrong with the website or app.