██████╗  ██████╗ ██╗  ██╗ █████╗ 
╚════██╗██╔═══██╗██║  ██║██╔══██╗
 █████╔╝██║   ██║███████║███████║
 ╚═══██╗██║   ██║██╔══██║██╔══██║
██████╔╝╚██████╔╝██║  ██║██║  ██║
╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝

Welcome to 3OHA, a place for random notes, thoughts, and factoids that I want to share or remember.

5 January 2021


In September 2020, we identified a vulnerability in Radar COVID, the official COVID-19 exposure notification app for Spain. The vulnerability enables the identification and de-anonymization of COVID-19 positive users that upload Temporary Exposure Keys (TEKs) to the server. The root cause is the fact that connections from the app to the backend server to upload TEKs are only made by COVID-19 positive users. Therefore, any on-path observer with the ability to monitor traffic between the app and the server can identify which users had a positive test.

The vector string and CVSS score are:

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Base Score: 7.4 (HIGH)

The issue was fixed by late October 2020 and the vulnerability obtained an official number in November 13, 2020. More details are available in the security advisory published in the official GitHub repository of the app and the CVE-2020-26230 entry in the NVD.

© 2021 Juan Tapiador