A security vulnerability in the infrastructure underlying Germany’s official COVID-19 contact-tracing app, called the Corona-Warn-App (CWA), would have allowed pre-authenticated remote code execution (RCE).
Researcher Alvaro Muñoz wrote in a report this week that he and his team at GitHub Security Labs were chasing down RCE vulnerabilities on the platform and found one in the infrastructure supporting CWA for Android and OS. The team said it worked with SAP to mitigate the issue, adding as a server-side issue, the mobile apps themselves were not impacted, and that no data was collected beyond a device’s IP address.
“There appeared to be a pre-authentication RCE vulnerability in Corona-Warn-App Server, which drives Germany’s COVID-19 contact-tracing application infrastructure,” according to Muñoz. “This vulnerability had the potential to affect the integrity of Germany’s COVID-19 response and as such warranted an immediate response from our team.”