France and Poland open probe into Hitler and Spongebob health passes

EU vaccination certificate were created under the fake names after individuals gained access to the cryptographic key used to verify the passes

1 November 2021

It is thought that the creation of the fake certificates was enabled by an insecure portal in North Macedonia Pic: rarrarorro / Shutterstock

By Emma Morgan

[Article updated on November 2 at 08:17]

A security breach thought to have begun in North Macedonia has enabled the creation of European Covid vaccination certificates created under fake names including Adolf Hitler and Spongebob Squarepants. 

Some of the falsified passes seem to have been approved by authorities in France and Poland, who have now begun investigating the incident.

A spokesperson for the European Commission said on Friday (October 29) that it was aware of apparently fraudulent manipulations of the European Covid certificate QR code, which is presented in France through the TousAntiCovid app.

Since Wednesday, internet users had been claiming on forums and social media platforms to have access to secret cryptographic keys that could be used to certify a health pass. 

A cryptographic key is a string of characters which contains specific information but uses an encryption algorithm to alter it so it appears to be random. In this way, it ‘locks’ up the data so only certain individuals or programmes can decrypt it.

Cybercriminals on the dark web were also recently found to be selling access to forged EU vaccination certificates for $300, proving their functionality by producing health passes for names such as Adolf Hitler and Spongebob Squarepants.

The European Commission stated that real people’s private cryptographic keys had not been compromised and said that the fake passes were the result of “illegal activity” rather than a system failure.

The Commission’s statement said that the certificates were apparently generated “by persons with valid credentials to access the national IT systems, or a person misusing such valid credentials.” 

Experts also believe that the breach could have been made through unprotected internet portals in North Macedonia, where a lack of security allowed for the creation of various fraudulent QR codes. 

To stop this, the EU states which are members of the eHealth network have “blocked the fraudulent certificates so that they will be considered as invalid by verification apps,” and the Macedonian portal has been deactivated.

The origin of some certificates remains a mystery to officials, especially as certain passes appear to have been verified by the French and Polish authorities, suggesting complicity on the part of a health professional. 

The two countries have therefore launched an investigation. 

This is not the first time that France has faced issues with the system which creates its vaccination certificates. In September, the QR codes of President Emmanuel Macron and of Mayor of Le Havre and former prime minister Édouard Philippe were shared on social media. 

Related articles

People in France to get new online health space from January 2022

France leaves open possibility of health pass until July 31, 2022

Covid France: Should I update to an EU vaccine certificate to travel?

Resident or second-home owner in France?
Benefit from our daily digest of headlines and how-to's to help you make the most of life in France
By joining the newsletter, you agree to our Terms & Conditions and Privacy Policy
See more popular articles
The Connexion Help Guides
Brexit and Beyond for Britons in France*
Featured Help Guide
What the Brexit deal means for UK residents of France, second homeowners and visitors in 2021 and after
Get news, views and information from France
You have 2 free subscriber articles left
Subscribe now to read unlimited articles and exclusive content
Already a subscriber? Log in now