Cwa-app-android: Scanning qrcode for result

Created on 17 Jun 2020  路  6Comments  路  Source: corona-warn-app/cwa-app-android

Describe the bug

One of my colleagues tried to scan a simple QR Code with the url "https://forum.test-test.de/forum/qrcode/index.php?id=22" inside.

Example qr-code with the provided url from above inside ;)
https://imgur.com/a/GYJtnJJ

PS:
The number behind id=X can only be registered once.

Expected behaviour

A error should come up, that the qrcode is not valid. But it was registered as a valid test result.

Steps to reproduce the issue

  1. Open the app
  2. Go to "have you been tested?"
  3. Choose the otpion "document with qr-code"
  4. Scan the provided qr-code

Technical details

  • Huawei Mate 20 Pro running Android 10 on EMUI 10.0.0 (app version 1.0.0)
bug wontfix
Source
picture MarcusCoding

Most helpful comment

Hey,
this is actually intended behaviour to mitigate brute force attacks against the backend. You are able to register any kind of id as a "valid" test but the result will always return as peding without resolving.

picture kolyaopahle on 17 Jun 2020
👍2

All 6 comments

I cannot reproduce this. I get the following error message:

Error
The QR code/TAN is invalid [...]

Nokia 6.1, Android 10

IndianaDschones picture IndianaDschones on 17 Jun 2020

Hello @IndianaDschones ,

could you try it again with this qr-code?

https://imgur.com/a/XpZuw46

Thanks, the qr-code with the id=22 was already tested by us, this one should work.

MarcusCoding picture MarcusCoding on 17 Jun 2020
👍1

You麓re right. Now it is indeed recognized as an valid QR code. It states that my _result is not available_

IndianaDschones picture IndianaDschones on 17 Jun 2020
👍1

Hello @IndianaDschones ,

I have the same message:
"Ergebnis liegt noch nicht vor".

So it is registered as a valid qr-code but without a result.

MarcusCoding picture MarcusCoding on 17 Jun 2020

Hey,
this is actually intended behaviour to mitigate brute force attacks against the backend. You are able to register any kind of id as a "valid" test but the result will always return as peding without resolving.

kolyaopahle picture kolyaopahle on 17 Jun 2020
👍2

@kolyaopahle : Could you elaborate a bit more, how this behavior mitigates against brute-force?
Would there be an option to at least show an error, if the QR Code is fundamentally not CWA compatible?
B/c if this relies solely on the user, using the right app they will get confused. (See e.g. here: https://twitter.com/TristanKretsch1/status/1290315954304495618)

daimpi picture daimpi on 3 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MikeMcC399 picture MikeMcC399  路  3Comments
sdschulze picture sdschulze  路  3Comments
Magoli1 picture Magoli1  路  3Comments
tegutistgut picture tegutistgut  路  3Comments
michaelwingender picture michaelwingender  路  3Comments