Jon Gaines with nVisium chalks the threat up to one of simple input validation.
“Unfortunately, this is just another example of a vulnerability that is as old as the internet itself, which is a lack of user input validation,” Gaines told Threatpost. “In this specific case, it’s a tightrope to walk because to properly validate this input, it would need to be sent to a Services Australia server — and somehow confirm that the individual has actually been vaccinated.”
Gaines supposes that the rush to release the application was to blame and recommends an overhaul of the code.
“At this point, it would probably require a large revamp of the application to resolve this vulnerability,” he added.