Richard managed to forge a COVID vaccine certificate. It took him 10 minutes


Near-perfect forgeries of the federal government’s COVID-19 vaccine digital certificate can be made in 10 minutes using free software, a member of the public has discovered.

Richard Nelson, a software engineer in Sydney, has found an “obvious” security flaw in the Express Plus Medicare app allowing him to make vaccine certificates with any name and date of birth and featuring the background animations meant to prevent forgery.


The Prime Minister has previously said the certificates are a “credible and effective” way for states to administer exemptions from aspects of lockdowns.

The discovery of the flaw could put a hold on state and federal governments allowing the vaccinated more freedoms.

Mr Nelson found the security hole in the current system (which was launched more than two months ago) while mucking around with the Express Plus Medicare app one evening last week.

Other security experts have confirmed it’s the kind of obvious vulnerability that would have been picked up in a basic security audit of the app.

To demonstrate how easy it is to forge certificates, Mr Nelson took 10 minutes to make a counterfeit certificate with the name of this reporter (who hasn’t yet had all their shots).


“I don’t think it’s a good idea to get it out there among the anti-vax crowd,”  he said.

“People who don’t have a valid certificate can fairly easily present one — the implications of that are left up to the imagination.”

Will it be fixed?

After discovering the flaw, Mr Nelson sent detailed instructions to the government, but has not yet heard back.

In response to questions from the ABC, a spokesman for Employment Minister Stuart Robert, who has ministerial responsibility for data and digital policy, said the government has “iteratively updated proof of vaccination certificates”.

“The government will continue to iteratively update the proof of vaccination certificates … including bolstering security measures,” he said.

From the response, it wasn’t clear if the government would be patching the vulnerability (which would require an update of the Medicare app).

Basic security audit would have found flaw

The security vulnerability is different to the one identified by Senator Rex Patrick earlier this month.

The senator used “a few graphics tools” to make a forgery of the PDF export of the vaccine certificate.

A man in a suit holds up his phone, with an apparent government website visible on the screenA man in a suit holds up his phone, with an apparent government website visible on the screen
Senator Rex Patrick has forged his own COVID-19 vaccination certificate in an effort to expose flaws in its design.(

ABC News: Matthew Doran


This o
nly works on the PDF, as the certificate within the app itself is protected against counterfeiting by an animated tick, a live clock and a shimmering coat of arms (similar to the type used for digital drivers’ licences).

As can be seen in the video above, Mr Nelson’s more sophisticated forgery includes these anti-fraud features.

Mr Nelson said the flaw would have been “absolutely” raised in a security audit.

This isn’t the first time the experienced software developer has poked holes in government IT systems.

He was one of the tech community that found important vulnerabilities in the COVIDSafe app last year, including the fact that the tracking app did not work properly on a locked iPhone.

Privacy expert Vanessa Teague, another prominent member of the tech community, said the Medicare app flaw was “unsurprising after experiencing COVIDSafe”.

“Oh yeah, wow,” she said.

‘Certificates need QR-code digital signatures’

The certificates also have a bigger security problem, she said.

Other designs, such as that used by the EU, have a digital signature in the form of a QR code that can be verified as a defence against fraud.

Such a system would be much harder to trick.

“They still have to do something a bit like what the EU has done,” Ms Teague said.

A smartphone with a QR code in front of an al fresco restaurantA smartphone with a QR code in front of an al fresco restaurant
The EU vaccine certificate is used for international travel as well as entry to cafes, museums and other public places.(

Getty: Artur Widak


The Prime Minister has flagged the vaccine certificate will get an overhaul in October, though it’s not clear if the new version will only be used for international travel and work alongside the existing vaccine certificates.

In early July, the Australian Digital Health Agency, a statutory body responsible for implementing various digital health initiatives, issued a Request for Tender for a smartphone app for storing digital vaccination certificates, along with the results of COVID-19 tests.

The proposed mobile app will be ready “prior to December 2021” and feature “multiple authenticity and anti-fraud measures”.

The spokesman for Mr Robert did not respond to questions about whether the government was working on a new type of vaccine certificate.


Read More:Richard managed to forge a COVID vaccine certificate. It took him 10 minutes