Two vulnerabilities remain in CEMIG concessionaire (Companhia Energética de Minas Gerais) accessible personal and financial information of customersAccording to a report obtained by TecMundo. After communication, the company corrected the flaws in the system.
Security researcher Lucas Emanuel found two flaws known as Broken Access Control (CVSS 7.5) and IDOR (CVSS 7.9). The first of these allows cybercriminals to bypass administrative restrictions on a system; the latter allows a criminal to directly access an object, file, directory or database key without any authorization.
To conduct the research, Lucas Emanuel explains that “all tests were performed using a valid and unexpired user token.” In the tests, queries were made in GraphQL and it was possible to retrieve an invoice registered in the name of another user and the invoice was successfully returned in Base64 format.”
Regarding the IDOR error specifically, the researcher notes that “due to the sequential nature of the invoice numbers, it is possible to carry out a systematic numbering that allows access to all existing invoices, including invoices of other CEMIG customers.”
CEMIG was founded in 1952 and serves more than nine million customers. After contacting TecMundo, the company began working to fix both flaws: “Cemig stated that it took action immediately after being informed of the security vulnerability and corrected the anomaly. In this way, a security vulnerability regarding the case presented by the researcher is no longer eliminated.”.
Do not make payments received via e-mail or SMS without checking them through official channels.
Among the personal and financial information it was possible to find: full name, residential address, partial CPF, energy consumption, bill amount, customer number, installation and payment QR Codes.
The issues with exposing this data are varied. The most common involves spear phishing, which allows cybercriminals to use this information to develop more precise scams on CEMIG customers. Because It is important to pay attention to incoming emails and SMS messages; Do not make payments made through these means without checking them through official channels..
Source: Tec Mundo
I am a passionate and hardworking journalist with an eye for detail. I specialize in the field of news reporting, and have been writing for Gadget Onus, a renowned online news site, since 2019. As the author of their Hot News section, I’m proud to be at the forefront of today’s headlines and current affairs.
