Experts found a vulnerability in the application of the Moscow State Services
Specialists of the company Postuf reported a vulnerability in the application of the Moscow State Services, with which it was possible to gain access to the account, knowing only the user's mobile number.
This made it possible to get all the information that the user specified on the site: full name, e-mail, year of birth, medical insurance number, list of movable and immovable property, information about the foreign passport, about children, students in schools, etc. Knowing the number of the medical insurance number and the year of birth, it was possible to get access to medical information: which doctors a person visits, what prescriptions are written to him, the history of attachment to clinics, etc.
"The vulnerability made it possible not just to view, but also to change the data", said the founder of the company Postuf Bekhan Gendargenoevsky.
The expert notes that it is impossible to cause serious harm by knowing the data from the portal, but personal data can be used by hackers for phishing attacks.
"It is impossible to steal money directly [with such information], although hackers can use their knowledge in social engineering and try to steal bank card data from a person," said the computer security specialist.
He also noted that since the system has no restrictions on the number of requests for access to accounts, requesting the so-called beautiful numbers, it was possible to get information "about a number of well-known personalities who, as a rule, have such numbers."
A representative of the Moscow Department of Information Technology did not confirm the information about the vulnerability, stressing that authorization in the Moscow State Services mobile application without specifying a password is impossible.
State Services is a federal state information system. It provides individuals and legal entities with access to information about state and municipal institutions and organizations, and the services they provide in electronic form.
from E Hacking News - Latest Hacker News and IT Security News https://ift.tt/2MjPvcQ
Comments
Post a Comment