Lithuanian COVID pass is interesting.
by IDrinkBottles - May 23, 2021 at 10:28 AM
#1
Hello.

I've played around with our COVID pass barcodes, (gpasas.lt), and the first thing I've noticed is that the verification tool (tikrink.esveikata.lt) verifies the QR codes on the client side.

After doing some research, It became clear that our pass has an unencrypted, base45 encoded data header, that can be easily manipulated and fed to the validator tool.

After some more analysis, the QR code format became clear: The first digits before $ sign indicate the length of the base45 encoded string that's placed after the same sign. The signature is appended at the back.

The signature appears to be signed with an RSA key, and there's a client side JS script in the index page with one of the keys in the certificateKey variable.

Sample (invalid) codes can be found at the "Naudotojo vadovas" at gpasas.lt, and I'll attach a working code of one of our politicians later.

Have fun! Wink
#2
Thanks for sharing, I'm testing it to see if it works
#3
Whats the aim in all this?
#4
what is a covid bar code? im really curious
#5
(June 03, 2021 at 06:55 PM)Spyder069 Wrote: what is a covid bar code? im really curious

Maybe to give people a pass as covid free
#6
What personal gain did you get from this?.

I mean if you are anti vaxxer.
#7
(June 03, 2021 at 11:25 PM)19689p Wrote:
(June 03, 2021 at 06:55 PM)Spyder069 Wrote: what is a covid bar code? im really curious

Maybe to give people a pass as covid free

Probably a way of marking Anti-Vaxxers into a system
#8
(May 23, 2021 at 10:28 AM)IDrinkBottles Wrote: Hello.

I've played around with our COVID pass barcodes, (gpasas.lt), and the first thing I've noticed is that the verification tool (tikrink.esveikata.lt) verifies the QR codes on the client side.

After doing some research, It became clear that our pass has an unencrypted, base45 encoded data header, that can be easily manipulated and fed to the validator tool.

After some more analysis, the QR code format became clear: The first digits before $ sign indicate the length of the base45 encoded string that's placed after the same sign. The signature is appended at the back.

The signature appears to be signed with an RSA key, and there's a client side JS script in the index page with one of the keys in the certificateKey variable.

Sample (invalid) codes can be found at the "Naudotojo vadovas" at gpasas.lt, and I'll attach a working code of one of our politicians later.

Have fun! Wink

Nice one sonny jim. nicely  thought through

Possibly Related Threads…
Thread Author Replies Views Last Post
Covid in 2022? uwuu22 87 6,161 6 hours ago
Last Post: whitetantra
Faking the EU Digital COVID Certificate adephash 1 380 November 24, 2021 at 09:00 AM
Last Post: 444qqrt
My articles about CoVid treatment and Pfizer Vaccine KillForTheThrill 8 479 November 19, 2021 at 02:57 PM
Last Post: Dredgen Sun

 Users browsing this thread: 1 Guest(s)