South Korea is one of several countries that used a comprehensive test, trace and isolate plan to dramatically reduce instances of COVID-19. Unfortunately, a New York Times report claims that one of the key pillars of its strategy, a mobile app designed to monitor at-home quarantines for people arriving in the country, was seriously insecure. A security researcher found a flaw in the app that would have allowed hackers to access private information. In addition, hackers would have been able to rig the app to make someone look like they were making unauthorized trips outside their home.

Security researcher Frédéric Rechtenstein, who lives in Seoul, was using the app to monitor his own 14-day isolation period after traveling. Out of curiosity, he began investigating the app, finding that the user IDs were not randomly generated and therefore guessable, enabling him to access this private information. In addition, the app’s code stored the encryption key (which was “1234567890123456” within its code, making it even easier for a motivated hacker to decrypt any data they wished to access.