Vulnerability in contact tracing app Luca could have allowed attackers to “paralyze” health departments
The discovery of yet another vulnerability in Germany's centralised check-in and contact tracing app 'Luca' renewed strong criticism to it in the country.
The latest bug that has been found in the app developed by the Berlin-based software startup Nexenio was illustrated by IT expert Marcus Mengs in a YouTube video. It would have theoretically allowed an attacker to paralyze a health department connected to the app through "code injection", i.e. the injection of malicious code among the data that the software delivers to health departments via Excel files. Thousands of citizens could have been spied on as a result.
The Federal Office for Information Security (BSI) confirmed the plausibility of the attack scenario, even though it found no evidence that the vulnerability has ever been actually exploited.
Dies ist ein Thread zu den zahlreichen Anfragen rund um die #LucaApp. Wir schätzen das Angriffs-Szenario einer Code-Injection über das Luca-System abhängig von der konkreten Einsatzumgebung als plausibel ein. (1/5)
