The Ministry disclosed the data of 1 million disabled citizens

The Passe Livre portal of ANTT (National Land Transport Agency), affiliated with the Ministry of Infrastructure, has indefinitely exposed sensitive data of nearly one million Brazilians with disabilities enrolled in the federal program.

According to ANTT, the Free Pass is “a program that guarantees free access to interstate public transport by road, rail, and boat for people with disabilities and those who are clearly in need. The program is for low-income people with physical, mental, auditory, visual, multiple disabilities, ostomy or chronic kidney disease.

The agency also states on its website that 200,000 people are accredited, but can reach around 2.5 million Brazilians.

But a leak detected on Wednesday (12) showed that the Passe Livre portal stores data of about a million people – with a unique identifier on file, it is possible to track about 930 thousand people.

Security Researchertaifayb” warned Technology World Information is easily accessible to any citizen who registers on the Interstate Free Pass company portal (even if the registration contains fictitious data).

When checking the public file, it was possible to find information such as the applicant’s full name, home (or mobile phone), document number (RG), partial CPF, date of birth, gender, identification number (personal). identifier), expiration date, Free Pass number, transaction number, status of the applicant, abbreviation of the applicant, photographs of the applicant, SGL UF document and the full name and data of the accompanying person.

“Given the large amount of sensitive information contained in this file, it is imperative that urgent measures be taken to protect it and ensure the privacy and security of those concerned. The information contained in this file is vulnerable to cyber attacks and any unauthorized access may have serious consequences for those concerned.” said. taifayb.

after contacting Technology Worldfixed the ANTT vulnerability. The report reads: “The National Land Transport Agency (ANTT) reports that the reported incident is under investigation. The agency also estimates that a new Free Pass system is under development that will guarantee greater navigation and safety to benefit applicants. This new mechanism will be released soon. “.

How was access obtained?

According to the source, data collection was performed after simple registration in two Free Pass query fields.

Inside the system, in the “Offline Access” item, there is a default program in Java where all files are encrypted, that is, protected.

The encryption release key was present in the same environment

The problem is that the cryptographic key used to release the files is visible in the program’s Java code.

“I used fictitious data 01234567890 and 1234 to login and got access to the portal where I could refer to any protocol and get photos of people,” the researcher said.

According to the Passe Livre Program User Manual sent to the Ministry of Technology WorldThe last update of the standards would take place in 2018.

big problem

One of the main points involving easy access to personal information is cybercrime.

In this case, precise data like this can lead to spear phishing scams. Targeted phishing allows cybercriminals to create fake messages that are more accurate and closer to the reality of the target. That way, the victim is more likely to click on a malicious link or send bank details, for example.

Another problem has to do with personification. Cybercriminals gain the ability to open various digital accounts with this data. For example, orange beads to perform other scams.

Report to TecMundo

To submit your complaint to TecMundo, you can send an e-mail to the following people: