Canada COVID passport app leaks personal data

In yet another instance of post pandemic cybersecurity lapses, the Canadian app Portpass has been leaking the private information of its users, including driver’s licenses and photos. 

Earlier this week news broke that the app used by over 650,000 Canadians as a means to prove their vaccination status, Portpass, contained a cybersecurity vulnerability which allowed anyone to access any other user’s profile publicly. 

The means of bypassing the app’s basic security and accessing’s someone else’s data will not be shared in this article as to not cause further damages as the app had not yet been confirmed to be secured. 

However, upon some basic manipulations of the app, anyone was granted immediate access to full profiles of unencrypted sensitive data, including driver’s licenses which contain a victim’s name, date of birth and photo. 

In response to the leaks, the Portpass company CEO Zakir Hussein scathingly denied the claims that the app had security issues, stating that those who vocalized their concerns about the app were “breaking the law”. 

Despite these comments, the app was taken offline both on mobile and desktop browser. Users were unable to access their profiles or edit anything they had already uploaded. 

The following day, Hussein released another statement to CBC news, stating: 

"Someone that's out there is trying to destroy us here, and we're trying to build something good for people," he said.  

"There's holes, and what I'm realizing is I think there are some things that we need to fix here. And you know, we're trying to play catch-up, I guess, and trying to figure out where these holes are." 

He went on to say the incident continues to be under investigation, and alludes to the fact that only users who were unverified were affected by the security vulnerability. However, this remains unconfirmed, leaving over 600,000 users in the dark about whether or not their personal data was leaked to hackers or used for fraudulent purposes. 

This incident raises more and more skepticism surrounding the idea of third-party apps being employed for vaccination passports, and whether the societal pressure to rush back to “normal” is so substantial, that improper testing and vetting of the applications is taking place. 

Web Developer Conrad Yeung spoke on his experience using Portpass, sharing the fact that he had tried to manipulate the app briefly, “just to see if the app would let” him. He noticed that not only would his verification be accepted irrespective of the photograph he uploaded, he also claims that some of the advertised features of the app such as its use of AI and blockchain to keep data secure were fraudulent.  

With more and more companies, government organizations and events requiring the authentication of a vaccination status via a third-party app, the daunting possibility of this being one of the first of many cybersecurity incidents yet to come in the context of COVID 19 is very real and something to not be taken for granted.