The federal government’s COVID-19 vaccination certificate can be forged using a widely known technique to bypass the protections.

Fenn Bailey, a software developer in Melbourne, stumbled upon the security flaw this week after reading about other publicised vulnerabilities.

He discovered the government was relying on a “high-school grade permissions password” to prevent unauthorised people from being able to alter or copy versions of the vaccination certificates.

Mr Bailey found it was then possible to change a name or the vaccinated status on the certificate.

A long outdoor queue with marshals in orange vests
About half of fully vaccinated Australians have accessed their COVID-19 vaccination certificate.(

Getty: Mark Kolbe


“One could argue that this means these [documents] are not certificates, in that they fail to meet the definition of being certified as authentic,” Mr Bailey said.

This isn’t the first time a member of the public has found a way to forge a version of the federal government’s vaccination certificate.

Space to play or pause, M to mute, left and right arrows to seek, up and down arrows for volume.

Play Audio. Duration: 11 minutes 3 seconds

But the fact it can be done so easily shows the government did not take basic steps to prevent forgery, Mr Bailey said.

“To anyone who is fairly qualified in this field, the failings are dramatic,” he said.

Other vulnerabilities that allow the certificates to be forged have gone unfixed after being brought to the government’s attention, including a method reported more than two weeks ago. 

This could create problems when relying on the certificates to grant extra freedoms to the fully vaccinated.

Will NSW vaccine passport be any more secure?

From next week, fully vaccinated New South Wales residents will be able to spend more time outside, with police monitoring their vaccination status.

It’s expected other freedoms will be granted as the vaccination rate improves.

But given the security holes in the vaccine certification system, it’s not clear how authorities, or workers at pubs, cafes and restaurants, will be able to spot any potential forgeries.

One solution may be a new, more secure app.

A man holds a phone that reads 'COVID-Safe check-in' and 'Betty's cafe'
NSW Minister for Customer Service Victor Dominello with the Service NSW vaccine passport to be trialled next month.(

Supplied: Victor Dominello on LinkedIn


From October, the federal government will issue vaccination passports for people to use when they travel overseas.

Though details are scarce, these appear to have better security than the vaccination certificates, with a QR code to verify vaccination status.

However, there are no plans to roll these out for domestic use.

That leaves the possibility the states will develop their own vaccine passport systems.

From early October, the NSW government will trial a vaccine passport system within the Service NSW app, which is currently used for venue check-ins.

Three screenshots for the Service NSW vaccine passport.
A series of screenshots showing how the Service NSW vaccine passport will work.(

Supplied: Service NSW


In response to questions from the ABC, Service NSW did not share details of how the app will work; whether it would directly access the Australian Immunisation Register for proof of vaccination, or instead rely on a person’s federal vaccination certificate.

“Service NSW is working closely with the federal government on the ability to display a COVID vaccination certificate within the Service NSW app and link vaccination status with the COVID-Safe Check-In,” a Service NSW spokesperson said in a statement.

The spokesperson did not respond to questions about whether the federal government certificates would still be accepted as proof of vaccination alongside the Service NSW app.

If they were accepted, the forgery problem would remain, regardless of whether or not the NSW app was secure.

At the same time, not accepting federal vaccination certificates could create widespread confusion.

Senate Estimates heard last week that about 3.5 million Australians have accessed their federal government vaccine certificates.

On top of this, most appear to be intending to use the existing certificate (which can be more easily forged than the in-app digital certificate).

Services Australia chief executive officer Rebecca Skinner told Senate Estimates that the government agency was helping people print their certificates.

“We also have people who phone in to our help desk phone lines and ask for us to send a printed version, and we’re doing that as well,” she said.

“And, where people are able to move around in the community, they are also stopping into service centres, and we print it out for them there as well.”

A man in a suit holds up his phone, with an apparent government website visible on the screen
Senator Rex Patrick has forged his own COVID-19 vaccination certificate in an effort to expose flaws in its design.(

ABC News: Matthew Doran


Senate Estimates also heard that about a third of the 3.5 million Australians who have accessed their certificates had taken the trouble of setting up the Express Plus Medicare app digital certificate.

The remainder, about 2 million, appear to be intending to use the digital certificate.

This points to a future scenario where easily forged certificates are the most common way of proving vaccination status.

Asked about the risk of forgery, Ms Skinner told Senate Estimates that both the in-app digital certificate and the PDF version could be trusted.


But members of the Australian tech community have shown that all versions of the federal government’s vaccine certificates can be faked. 

Software engineer Richard Nelson, for instance, has demonstrated he can add any name or type of vaccine — including drugs that are not vaccines — to an “anti-fraud” certificate on the Express Plus Medicare app.


He says the certificates will remain easy to fake until they feature a digital signature, like the kind used in the EU’s vaccine passports.

The vulnerability in the Express Plus Medicare app that allows him to forge certificates has not been fixed, more than two weeks after he alerted the government.

‘Exponential’ growth in demand for fake certificates

Meanwhile, demand for fake vaccine certificates appears to be on the rise globally.

Matt Warren, director of the RMIT Centre of Cyber Security Research and Innovation, said vaccine certificates were being forged from the US to the UK.

The Australian certification system, he said, has “real issues of integrity”.

“Nothing has been done to create a secure system,” he said.

“I think certainly the anti-vaxxers will be the market for those forged certificates because they want to travel.

“They’ll want to go to the footy, to pubs and restaurants.”

A woman's hand holding a card with vaccine details
A patient holding a CDC vaccine card.(

Getty: Joan Slatkin


On the encrypted messaging app Telegram, anonymous sellers offer forged Australian vaccine certificates alongside those for other countries.

The going price per digital certificate is about $US200.

The sales pitches in messaging groups include anti-vaccination statements, such as: “We are here to save the world from this poisonous vaccine”.

One seller who said he was based in the US claimed to have made “many” certificates for Australians, though this cannot be confirmed.

A screenshot titled immunisation history statement with blurred personal details
A purportedly forged immunisation history statement.(



Security researchers at Check Point Software Technologies say they’ve seen exponential growth in volumes of followers and subscribers to groups and channels offering COVID-19 certificates.

Mr Nelson has also been contacted by Australians wanting fake certificates, demonstrating there is demand within Australia for them.

Space to play or pause, M to mute, left and right arrows to seek, up and down arrows for volume.

Play Video. Duration: 4 minutes 34 seconds

Moderna vs Pfizer: What’s the difference?

Is there a better, more secure system?

Security experts unanimously say the EU’s vaccine passport system is more secure.

The EU passports contains a QR code with a digital signature to protect them against falsification.

When a person enters an EU country, for instance, the border guard scans the QR code and the signature is verified through a serviced called the EU Gateway.

The Gateway doesn’t store vaccination data; it only checks the signature is correct.

The advantage of this system is privacy: no-one has access to a certificate holder’s personal data other than the country that issued the certificate.

Privacy expert Vanessa Teague said the EU system would be a more secure alternative to the current Australian one.

“We’re going to have to be able to verify EU vaccine certificates if we let Europeans back in to Australia, so we might as well build vaccine certificates that require the same verification,” she said.

A certificate with a name, date of birth and a QR code
An example of part of the new COVID-19 vaccination certificates being issued in France that have a QR code compatible with an EU-wide verification system.(

Supplied: TousAntiCovid


Professor Warren also said it would “make sense for Australia to pick an effective system like the EU one.”

Mr Bailey pointed out the EU technology is “open-source, peer-reviewed and has been in heavy use in Europe for months”.

In March, the World Health Organization released an interim guidance for developing vaccination certificates that recommended using digital signatures to verify authenticity.

“Why the Australian federal government have chosen to ignore this is, frankly, baffling,” Mr Bailey said.

“This is not just because it actually works, but because it would allow global interoperability had we adopted this approach.

“It feels like yet another example where we’re going to end up 6-12 months behind the rest of the world, playing catch-up.”

Loading form…