Service Victoria app gets quietly updated after Working With Children Check security bungle
The state government has issued an update to the compromised Service Victoria app after a security loophole allowing access to Working With Children Checks was revealed by the Herald Sun.
Victoria
Don't miss out on the headlines from Victoria. Followed categories will be added to My News.
The state government has issued an update to the compromised Service Victoria app after a security loophole allowing anyone to access other people’s Working With Children Checks (WWCC) was revealed by the Herald Sun.
An update for the app was released on Thursday night citing “performance fixes and service updates” after it was proven anyone could bypass the security system with dummy QR codes and link employers to other people’s Working With Children Checks.
When installed, the new update fixed the security loophole, with the Herald Sun confirming the in-app reader could no longer read dummy QR codes.
But, as of Friday afternoon, users had not been prompted to update their app by the state government.
The government was also yet kill the former compromised version of the app or alert users to the security flaw.
The Service Victoria app is designed to act as a digital wallet, allowing Victorians to upload their drivers licenses, WWCCs and other IDs to their phone.
The government believed the in-app reader could only scan QR codes generated by the app, which would ensure only those who had verified their identity could access their WWCC.
But the Herald Sun confirmed on Thursday a security flaw in the government app could allow anyone to easily gain access to other people’s WWCCs by making their own dummy QR code with just someone’s last name and card number.
In theory, a predator willing to impersonate another person could quickly gather validation to prove they, under a false name, could work with children.
Those who knowingly use a false card or another person’s card when applying for or doing work with children could face up to two years in jail.
When first contacted by the Herald Sun, the Allan government insisted the app had not been compromised and was working as intended.
But the Allan government then conceded a loophole existed after being shown footage of the security system being bypassed.
Senior minister Mary-Anne Thomas said the technology would be fixed immediately. An update was rolled out on Thursday evening.
But as of Friday afternoon, the government had not mandated users install that update — nor had it alerted users to the security flaw.
The Allan government said the new update would require 24-hours to fully take effect and would be a “forced download” for users.
But it could not confirm if users would eventually be notified of the reason for the update or details of the security loophole.
Meanwhile, employers with the old version of the app could still be duped by dummy QR codes.
Without clicking into the app store, they would have no way of knowing they were using an outdated version of the Service Victoria app.
Following this report, the government on Saturday locked down the compromised version of the Service Victoria app and forced users to install the update before they could access their digital wallet.
The Alfred’s ICU: Untold stories from the heart of the hospital
It’s home to some of the sickest patients in the state — but behind the scenes, the The Alfred’s ICU is full of life. Follow as the Herald Sun spends a day with the staff dedicating their every strength to those who need it most.
Two drivers, horse injured in horror Westgate Freeway crash
One driver has been seriously injured and another is fighting for life after a 4WD towing a horse float, a car and a truck collided on the West Gate Freeway, sparking long delays for motorists.