Update of badge contact data possible
We received an error report by mail describing the following. First, thanks to the reporter for submitting this issue to us.
Context
In contrast to digital users, the analog user has a badge consisting of a QR code and a serial number. The user shall be able to register its badge and then start using it. Currently, an update function of badge contact data is not provided to the badge user on the frontend, nevertheless, it is partly possible in the API.
Problem description
The POST on 'api/v3/users' is meant to create users. For convenience reasons this endpoint also allows to update user objects. Hereby, also the update of static badges is possible.
Steps to reproduce
- get access to a static badge
- normally register this badge
- use the serial number to generate corresponding secrets and public key material
- POST to 'api/v3/users'
Expected behavior
POST request gets denied with error FORBIDDEN as the update feature is not provided to static badge users
Actual behavior
Request updates underlying user object
Technical analysis
The update mechanisms have guards for static badges that do not allow to update them ex. the actual endpoint for updating is PATCH on 'api/v3/users'. This guard is missing in POST to users.
Impact/ Resolution / Response
The update of contact data requires access to the serial number of a badge. We are aware that there are some photos take for marketing reasons for social media or the web. These badges shouldn’t be used anymore after published on social media. Although we already informed badge registrators/pickup points to be aware that the serial number is the personalized secret of the user, and also is used to get access to the history (for the health department), we will highlight that again in our information material.
Currently, there are 29,000 badges in use. Due to a schema validation that prevents v4 badges to easily pass the POST endpoint, it is not as easy to update v4 badges, but nevertheless possible by decompressing the publickey.
Although we estimate the impact of this issue as low, caused by the need to have access to the serial number of the badges. We prepared a patch for this issue to prevent possible misuse scenarios.
We created this issue for transparency and possible open discussion points, as this issue itself is already resolved. This issue will get closed in the next few days.