Service Victoria app Working With Children’s Check security flaw exposed: Dummy QR code able to bypass system
A loophole in the Services Victoria app is letting people infiltrate other people’s Working With Children’s Checks in seconds, giving them the chance to pass them off as their own. Watch how easily it’s done.
Victoria
Don't miss out on the headlines from Victoria. Followed categories will be added to My News.
A security flaw in a government app could allow child predators to easily gain access to and use other people’s Working With Children’s Checks (WWCC) to get jobs with kids.
The Herald Sun can reveal a loophole in the Services Victoria app is currently allowing individuals to infiltrate other people’s WWCCs in as little as 30 seconds, giving them the opportunity to pass them off as their own.
The Services Victoria app, developed by the state government, allows Victorians to upload and store their IDs digitally on their phone, including drivers licences and WWCCs.
The app also includes a QR-code reader for employers to scan and verify employees’ IDs. When a WWCC is scanned, the reader returns a web page displaying the person’s name and if they can or cannot work with kids.
The app claims this reader can only scan QR codes generated by the app. This was intended to ensure an employee first proved their identity and that they have a valid WWCC before a QR code is generated for them, which can then be scanned by an employer.
“This app only reads Service Victoria-issued QR codes,” the app states when an invalid QR code is scanned.
“The code you’re trying to scan isn’t a Service Victoria code.”
But the Herald Sun has confirmed that the scanner can be easily bypassed with a dummy-QR code due to an undetected security loophole.
It means, in theory, a predator could use someone else’s last name and WWCC ID to generate their own QR code, which when scanned, pulls up the details of the person they are impersonating — and evidence they can work with kids.
It means a predator could, within just 30-seconds, gather validation to prove they can work with children.
It would, however, require them to pretend they are someone else to get away with the fraud.
Software engineer Michael Uren uncovered the error when investigating the “dumb” scanner built into the app, proving through a simple test that it could be easily fooled into pulling up personal data of another person.
“I just dummied up a QR code … and it was able to accept it,” Mr Uren said.
It raised alarm bells for the tech expert, who said it would be easy for a child predator to steal someone else’s WWCC details, being they are often kept on site by employers.
“Schools have got massive lists of these things, sporting clubs have got them all as well,” he said.
“If (a predator) really wanted to do it, they’d be able to find these things.”
Using an employee’s WWCC details, the Herald Sun generated a dummy QR code, scanned it with the Service Victoria app and pulled up verification.
That verification screen did not show an image of the WWCC holder — meaning duped employers would have no way of verifying the person who provided the check was who they said they were.
Associate professor of cyber security at RMIT Nalin Arachchilage called the system “atrocious”, saying greater effort should have been dedicated to security and privacy.
“We really need to do the compliance checks in the first place,” he said.
“When Service Victoria introduce certain apps, they also need to think about … threat analysis, how perpetrators could manipulate Service Victoria app through software glitches.
“In this case, they have created a QR code that would be able to bypass the app and do creditation.”
It’s prompted calls for Service Victoria to go to greater lengths to identify people before spitting out information to users.
Part of ensuring security, Mr Arachchilage said, was scrapping external URLs and making sure verification and QR codes directed to pages only within the app.
“That’s a lot more secure because it has already gone through internal security check-up processes, checking the app and checking the code,” he said.
It’s prompted calls for Service Victoria to go to greater lengths to identify people before spitting out information to users.
When first contacted, the Allan government said the Service Victoria app had not been compromised and was working as intended.
The Herald Sun then provided further details of the fault, including video footage.
An Allan government spokesperson said in a statement on Wednesday night that “merely scanning a false QR code does not allow you to work with children.”
“People applying to work with children need to have a valid Working With Children Check that corresponds to their actual identity, and there are already checks and balances in place to ensure this,” the statement said.
“Knowingly using a false card or another person’s card when you are applying for or doing work with children is illegal and those who do it face up to two years in jail.”
Originally published as Service Victoria app Working With Children’s Check security flaw exposed: Dummy QR code able to bypass system
Ugle-Hagan’s car used by masked bandits in shocking crime spree
Machete-wielding thugs have stolen Western Bulldog star Jamarra Ugle-Hagan’s Jeep and gone on a violent rampage across Melbourne’s southeastern suburbs.
Read more
‘Try before you buy’ may be behind declining divorce rates
Marriage rates are up and divorce rates down, with new figures revealing nuptials between couples of the same or non-binary gender have risen and Friday is becoming popular as a day to say “I do”.
Read more