How the poorly designed UX of the coronavirus test nearly put us in isolation, but the security hole saved us



This is me, writing a script to iterate over parameters for a POST request to gov.tr, sitting in front of the border to Croatia.



How it all began



My wife and I travel the world and work remotely. Recently we moved from Turkey to Croatia (the most optimal point to call in Europe). In order not to go to quarantine in Croatia, you need to have a certificate of negative analysis for covid, made no later than 48 hours before entry.



We found out that it is relatively profitable (2500 rubles) and quickly (all the results come within 5 hours) they make a test at the Istanbul airport, from which we just took off.



We arrived at the airport 7 hours before departure, found a test point. They do everything chaotically: you come up, give your passport, pay, get 2 barcode stickers, go to the mobile laboratory, where they take one of these stickers from you to identify your analysis. After you go out, they tell you: go to this site: enabiz.gov.tr/PcrTestSonuc , type in your barcode and the last 4 digits of your passport, after a while there will be a result.







But if you drive in the data right after the analysis, the page gives an error.









Even then, thoughts of โ€œexcellentโ€ UX crept into my head, in which, with any mistake of the operator, who hammered in the passport data, there is no way to find out his result.



Before departure



The time of departure comes, I drive in my data and see that there are already documents for them, although there is no test result yet.









It can even be seen that the tests arrived at the laboratory 1.5 hours ago. But my wife's data entry still throws an error that no record was found. And most importantly, you will not be able to just go and ask what is wrong, because we passed the test in the area before passport control.



When boarding the flight, they demanded the test results from us, but, fortunately, we were able to convince the airport representative that they would appear soon (showed them barcodes), and, as a last resort, we would go into quarantine.



As soon as I got on the plane, the information appeared in my code that my test was negative.







Upon arrival



And this is where the fun begins! As soon as we arrived and connected to the local WiFi, it turned out that my wife's record was still not in the database. And at the border itself, they approached the documents very carefully: the border guard took a test for coronavirus and took them to a separate room to check its reality. We decided that we would tell our truestory as it is and find out what options we have.



While we were in the queue, I decided to check on correct (my) and incorrect data how the validation page reacts.



It turned out that she was sending a post request to www.enabiz.gov.tr/PcrTestSonuc/GetPcrRaporVerifyWithKimlik , with the following parameters:



barkodNo = XX

kimlikNo = YY

kimlikTipi = 2

where barkodNo is the barcode number,kimlikNo - passport number, kimlikTipi - fixed parameter equal to 2 (if you fill in only the first two fields). No tokens were visible. The request gave 1 for the correct parameters (my data), and 0 for the wrong ones.



From the postman I tried to iterate over 40 combinations (suddenly there was an error of one character), but nothing came of it.



At that moment, we approached the border guard, he listened to our story and offered quarantine. But we clearly did not want to sit in the apartment for 14 days, so we asked to wait a little in the transit zone in order to try to deal with the problem in a couple of hours. The border guard entered our position, went to find out if we could sit in the white zone, and, with the consent of the head, said: โ€œokay, just couple of hoursโ€.



I started looking for the phone number of those who were doing the Corona test, and at the same time I decided to test a crazy hypothesis: if this system has such a terrible UX, then the security system should not be good, although the gov.tr.



As a result, while on calls, I wrote a small script that iterated over all numbers from 0000 to 9999 in the kimlikNo field. barkodNo we had on the sticker, so it couldn't be wrong.



Imagine my surprise when even after 500 continuous requests I was not banned, and the script continued to run at a speed of 20 requests per second from the airport WiFi.



The calls were not very successful: I was redirected from one department ฤธ to another. But very soon the script produced the coveted value 6505, which was not at all like the real 4 digits of the passport.



After uploading the document, it turned out that there was clearly not my wife's passport (such numbers do not even exist for Russian foreigners), but all other data (including name, surname and date of birth) are correct.







The most interesting thing is that barcodes are also not random, but go almost one by one. Thus, in theory, I could find contacts who got my wife's passport number, and in general, smoothly pump out the private data of other people.



But it was 9 am and a night without sleep, I was late for an online meeting and was glad that they let us through without quarantine, so I just started my journey through Europe.



All Articles