Data Protection/Security: Document details on new „Enlarge QR code“ feature

[Ein-Tim]

https://github.com/covidpass-org/covidpass/releases/tag/v0.5.0 made it possible to click on "Enlarge QR-Code" on the back of the Wallet card. When clicking on this link, one is transferred to an page like https://covidpass.marvinsextro.de/pass#SEMxOjZCRk9YTipUUzBCSSRaREZSSExSUVJKTERTU1M5VFRYOFBKRU5EQzJMRSAkQzpIOVRZTE1TSi5JNTJIUzBFREYvOFgqRzNNOUpVUFkwQlpXNEk6QTYzSE5OVlIqRzBDN1BIQlU1My9HTkRRRlZFQkRBSlRHSiBRVElZTkcuOC80M0JFQko5N0MwSCRRQjIwSFBWTitFM1JBSlNUTlNaNFNMMEVOOVVLUDBUOVdDNVBGNjg0NkEkUVc3NlFXNiVWOUZRNVZBMTMxQS5WNTZHQVUzUU82UUUzVlRLNUtKUEI5NVpFOVEkOTU6VUVORVVXNjIwMERNODhROSokSzhLRys5UlIkRisgRi5OODBOOFNONDAlS0xSMkEgS1oqVTBJMS1JMCpPQzZIMC9WTU5QTSBRNVRNOCpOOS1JMDZIMEpaUVAkSS9YSyRNODlLNipBS0g3OCRaSipESldQNDJXNURWNFovTVdQNDNYN0tWUU9BN0laNjogS1gzNUNBN0c2TSVZNFlXNjNRNC1aN01UNCBOUUFPUjgvNUNVNlNaNkZUNUQ3NVc5QVY4OEc2NFZPU1ZWUzMqSi4yRVRWOFgqUDkqNi5XMi05QS9WRUk0V0IxRDVaUCVaOEwyQks4TlE3UUVCVkI3R1FMRUglVU06QVlBMlRLNjo6SyotQkQzT0E4TUtBT1JSUkkxOEdOSiBGSjE6T1M0MEg4MEwx (this is not my QR code but just a test one)

With this feature, some questions come to my mind:

• Has the data privacy note been updated?
• How safe is the storage on the server? How is the link generated? What if the server is attacked, is it possible that the attackers steals all the data?
• How long is the QR code stored on the page
• Is it possible to remove the QR code from the page when the user wants this?
• Would it make sense to ask the user whether this is wanted during the generation of the pass?
• Is there a solution which works offline?

[marvinsxtr]

Thank you for addressing these concerns.

• The privacy notice has not been updated as the processing still only happens in the browser
• The part starting with a '#' is called URI fragment and is not transferred to the server (see Wikipedia)
• The link is embedded and generated in the pass at pass creation and already contains all information needed to display the QR code
• The QR code is dismissed by closing the tab with the QR code viewer or if holding and pressing the link, when releasing and hiding the preview
• For offline usage, the only way would be to use a 'data:' URL containing an image of the QR code. However, this would have to be copied manually by the user and pasted into the Safari search bar, which makes it extremely tedious to use

[marvinsxtr]

Basically the new version implements what was extensively discussed in #75. Also the title of this issue is kind of misleading considering the points above.

[Ein-Tim]

Thanks for the answer @marvinsxtr!

I changed the title.

• Okay, makes sense, if everything is still happening in the browser, the privacy notice does not require to be updated.

• I don't fully understand what you mean, I've read through the Wikipedia entry & understand it, but don't really know what you mean with "is not transferred to the server".
  Let me simplify the question: If a person with bad intend gains access to the server, is it possible for them to view the QR codes of users?

The QR code is dismissed by closing the tab with the QR code viewer or if holding and pressing the link, when releasing and hiding the preview

So this means the QR code is only generated on the page when needed (pressing on the link), after the tab is closed, everything is deleted?

• Regarding the offline usage: Okay, this wouldn't be very nice 😅

[marvinsxtr]

The english version of the article states:

The fragment identifier functions differently to the rest of the URI: its processing is exclusively client-sided with no participation from the web server [...]

Basically, it is not sent with the request unlike regular URL parameters.

If someone takes over the server, they don't have access to QR codes because the fragment is not sent to the server.

If attackers had full control over what is deployed at this domain, an attack would be possible. However, this should be true for any website and the other parts of CovidPass and not specific to this implementation.

The site only displays what was passed after the '#'. This means that this information is deleted when you close the tab (and delete your search history).

[Ein-Tim]

@marvinsxtr

Okay, I understand now! Thanks for your explanation and sorry for not understanding. The attack vector of attackers taking control and changing the implementation is another one & if someone would really do this they could also just store all data when the QR code is uploaded.

Thanks again for answering!
Closing as answered.