By simply entering users’ full names and their 18-digit Citizen Identity Number, the hackers could gain full access to the victims’ COVID-19 testing records and details of any future test appointments they may have booked, according to Hongxing News (in Chinese), a digital news site affiliated with Chengdu Economic Daily.
The hacked data is particularly appealing to fans obsessed with celebrities, as it included headshots they used for facial recognition when signing up. However, when someone tried to log into other users’ accounts, the app didn’t use any methods to verify the inquirer’s identity.
It’s unclear when the bug was discovered, but the fallout of the hacking campaign started last week when thousands of photos of well-known figures — mostly ordinary, low-quality selfies — appeared for sale in online communities formed by pop culture fans. In one case, the seven members of Chinese boy group Teens in Times had their “health code photos” unlawfully commercialized by the hackers, who peddled the product among their devoted followers for as little as 3 yuan ($0.46) per download.
The breach was built on an already-existing underground marketplace in China where individuals’ ID numbers are sold at an extremely low price. Even those of famous people are easily accessible. As an online post advertised, a bundle of 1,000 personal government ID numbers of celebrities may only net a cyber criminal a mere 1 yuan ($0.15) in total.
While the app’s developer never responded to the scandal, the bug appears to have been fixed as of today. When trying to log in to certain celebrities’ accounts with the information purchased from the hackers, journalists with the Beijing News found (in Chinese) that facial recognition is now required.