How to Hack the New York State COVID Vaccine App
The New York state COVID vaccine app is is lesson in what not to do when designing apps.
In a perfect world, applications that schedule COVID vaccination appointments would work reliably under heavy and fluctuating loads. They’d also mitigate the risk of abuse and ensure that everyone gets fair access to vaccines. In the real world, that doesn’t appear to be happening, if New York State’s vaccine scheduling app is any indication. Here’s a look at how the vaccine app works and how it could be “hacked” to jump the appointment line.
New York’s Vaccine App: An Overview
The New York vaccination app lets people schedule appointments to be vaccinated at one of the dozen-or-so vaccination centers that the state runs.
The vaccine app workflow is straightforward. Users start by filling out a form to determine their eligibility to receive the vaccine. If the app deems them eligible based on their answers, it provides links for scheduling vaccinations at an appointment site of their choosing. (Initially, the links were always the same for everyone, and you could use them even if you didn’t fill out the form first. Developers changed this when it became clear that users were sharing links without filling out the form, but it may still be possible to bypass the form.) After clicking the link for the site they want, users select a date and time for their appointment. The app then emails a confirmation.
Appointment data appears to be updated in real time, and it changes constantly. You could click the link for your desired vaccination one minute, only to see a message telling you there are no appointments available. But if you refresh the page, you may see an open appointment slot.
Abusing the Vaccine App
The vaccine app does its core job well: It lets people book appointments to get vaccinated.
But it also suffers from flaws that could expose it to potential abuse. Tech-savvy folks could exploit these flaws to cut the line and schedule vaccine appointments before others. They could even potentially flood the system with bogus appointments, leading to wasted vaccines and mass confusion.
These loopholes are the result of two main weaknesses in the application.
1. Scripted form input
First, the app appears to do little or nothing to mitigate the risk that someone could deploy scripts to book appointments.
Imagine this scenario: You want to book an appointment to get vaccinated, but the app tells you that all appointments at the site closest to you are already taken. However, because the data constantly changes, you may be able to get a slot by refreshing the page. Keep refreshing long enough, and an appointment is likely to open up.
A real person, of course, can only refresh the page so often. In that sense, the playing field is level. We’re all sitting at our computers, pressing F5 and hoping an appointment slot pops up.
But what if you could have a computer check for an open slot for you automatically? What if, instead of having to keep clicking the refresh button every minute or so and waiting for the page to reload, you ran a script that reloaded the page a hundred times a second using multiple headless browser sessions, then automatically booked an appointment under your name when it hit upon an open slot?
By all appearances, that would be quite easy to do. The app doesn’t include captchas (which don’t work very well anyway, but they’re better than nothing) that could make automated input more difficult. Nor does the app seem to record session data in any way that would allow it to force the client to start back at the beginning after refreshing the booking page a certain number of times.
Indeed, you wouldn’t even be abusing the app or violating any terms of use by using headless browser scripts to automate your booking in this way. There are no discernible terms of use for the app.
This matters, of course, because it’s not hard to imagine someone who is tech-savvy using this sort of approach to gain an advantage in booking appointments.
All of the above is further complicated by the fact that the vaccine scheduling app, in my experience, is overloaded, making it even more difficult for human users to navigate. Pages typically take minutes to load, and they sometimes toss out random errors, which makes it frustrating for a human user to refresh the page manually on a frequent basis. But if you’re a headless browser script, you don’t care about page load delays and errors. You’ll just keep firing, thousands of times per minute, until you get an appointment.
For the record, I haven’t actually tried abusing the app in this way. That would be unethical. It’s possible that there are safeguards in place somewhere on the server side to mitigate these risks. Maybe the server would blacklist me if it noticed thousands of requests per minute from my IP address, for example.
Still, given the simplicity of the app itself--and the fact that it did nothing to hinder my ability to refresh it manually on a very rapid basis--I’m not convinced that it would stop someone from using a script to cut ahead in the appointment line.
2. Data quality
A second issue is that the vaccine app appears to do nothing to validate the information that users submit when they book appointments. It will happily allow you to book multiple appointments for the same person (I did this, wrongly thinking I had to book appointments for both a first and second dose), and it does not verify that the person who completed the eligibility form is the same as the person for whom the appointment is booked.
This means not just that you could book multiple appointments for yourself--which some folks may do, in an effort to increase their chances of getting vaccinated in the event that some appointments are canceled due to lack of vaccine--but also that you could potentially book a large number of appointments for bogus people.
In other words, you could go in--perhaps with the help of a script that would automate this process--and set up appointments for thousands of people based on fake names, fake addresses and the like. The vaccine app would be none the wiser, because it apparently doesn’t perform any data quality checks to ensure that the person you’re booking for actually lives at the address you provide, or that the person even exists at all.
Why would you want to make a bunch of bogus appointments, you ask? Maybe because you’re interested in disrupting the vaccination process. If you manage to fill up a vaccination site’s schedule with hundreds of appointments for people who don’t exist, you deny slots to real people who need them. And you could potentially force medical teams to throw out vaccine, if they open it and no one shows up to take it. So, there seems to be a real risk here that goes far beyond letting people make multiple appointments for themselves.
To be fair, this lack of data quality validation may be deliberate. The state doesn’t have personal details on every person who is eligible for vaccination. The application developers may have decided to err on the side of making it easier for people to book, rather than risking blocking some legitimate users because they don’t have an address in state records, for instance. Attempting to prevent double-bookings could also be problematic if, for example, you are dealing with a father and son who have the same name, address and phone number. In that case, what might appear to be a redundant booking could be two separate bookings for two separate people.
Still, I can only hope that, behind the scenes, someone is on the lookout for data quality issues or anomalies within booking information that could signal abuse. I’d hate to read a news story about vaccine being wasted because someone exploited this hole in the system.
Conclusion
Although I haven’t looked at the numerous other COVID vaccination appointment apps that are being rolled out, I suspect that many of them suffer from the same risks as New York State’s vaccine app.
These issues are understandable. The developers tasked with building these apps face the monumental challenge of having to design apps that will serve millions of people, with very little time to test them. Flawed though it may be, I think New York’s vaccine app is actually pretty impressive, given how quickly it was deployed.
Nonetheless, I do hope someone’s checking on the sorts of vulnerabilities I’ve described above. They’re not even hacks as much as they are exploits of gaping holes in the system. The last thing the world needs is even more problems distributing vaccines and poorly designed software systems create that risk.
About the Author
You May Also Like