EU Investigates Private Key Leak in Forged COVID Passports

How did Mickey Mouse, Adolf Hitler, and Sponge Bob all get valid EU Covid-19 passports used by EU citizens to travel across national borders? The EU would really like to know and is now investigating the leak of the digital private key used to validate and certify Covid-19 vaccinations, negative tests, or successful recovery from the disease.

The digital passports, also known as "Green Passes" allows EU residents to pass across national borders without issue by showing that they are not likely to be carriers of the coronavirus that causes Covid-19, and similar programs have been set up around the world to help return life as back to normal as possible after a year and a half of global lockdown.

According to Bleeping Computer though, someone leaked the private digital key used by the Green Pass system to validate someone's information and Covid status, allowing anyone with the key to forge a Green Pass for themselves or others, often for a price.

White-hat hacker reversebrain on Twitter was one of the first to raise the alarm about the leaked key, showing that a forged Covid certificate for Adolf Hitler was valid, but soon after verified that it was no longer being recognized, presumably after the Green Pass system revoked the leaked digital key used to create it.

Forged passports appear to also be for sale online, in one case for as much (or as little) as $300. 

"We are aware of alleged fraudulent manipulations of EU Covid Certificate QR code and have seen the reports," a spokesperson from the EU told BleepingComputer.

"As a priority, we are following closely the developments of this incident and are in contact with the relevant member states authorities that are investigating and putting in place remedial actions."

"We firmly condemn this malicious act, representing an interference in a sensitive and strategic area, at a time when health services in all Member States are under pressure fighting the pandemic."