A security hole in the Fundação Getúlio Vargas (FGV) systems leaves course candidate data available to anyone for browser access. Alumni and staff are also exposed in an unprotected database. The flaw was discovered by a reader identified as Belgra and shared with the Techblog.
Belgra was able to access a database and an online system from FGV. There, it was possible to see personal information of course candidates: he shared, as an example, links to test data, which were probably registered during the development of the system and are fictitious.
O Techblog confirmed the existence of this flaw: it is possible to access other entries without effort, with a simple change of configuration and changing the URL numbers.
Online system exposes data such as documents and address
Among the information displayed in the online system are documents such as RG (with date of issue and issuing agency) and CPF, date of birth, city and country of birth, and marital status. There are other fields, such as voter registration, military enlistment, and discharge or reservist certificates, but in most cases they are empty.
The failure doesn’t stop there. By changing another parameter of the URL, it is possible to access more information about candidates on different pages: full address, e-mail, telephone, emergency contacts, father and mother information, financial responsible registration (presumably for minors), data professionals and documents.
Belgra says the loophole has existed since at least 2020 and remains uncorrected as of the date of publication of this text. He comments that the platform was bad and looked “amateur”, with “tips” that the system was flawed. “With this, an attacker can have full view of the database.” According to the complainant, there are other flawed URLs that could be used to access anything in the database, but this would only be possible using scripts.
FGV database is exposed
Belgra was also able to access a database with multiple tables — in the shared relationship with the Techblog, there are more than 6 thousand of them. Based on the names, we can infer that they have a wide range of information, such as payment slips, school calendars and bookstore titles. Also, there are many empty tables.
Three of these tables — those for candidates, alumni, and employees — total more than 800,000 system records. Not all entries are complete, and some are test entries.
According to data from a 2020 report, FGV has approximately 5,000 undergraduate, 2,000 master’s and 400 doctoral students, in addition to more than 99,000 in continuing education.
“The failure exposes the bank’s data to the entire Internet, containing about 800,000 records of people with all types of data: RG, CPF, father’s and mother’s name, address, as well as photos of these documents and signed documents”, he explains Belgium.
In an example shared with the Techblog containing only data that were registered in the system as a test, the specialist shows the employee table. It contains FGV e-mail, professional e-mail, admission date and dismissal date.
What does FGV say
O Techblog informed FGV of the discovery of the fault before the publication of this report.
On its website, FGV highlights an area of data protection, in which it says that it complies with the General Data Protection Law (LGPD) and that “it is committed to protecting and safeguarding the rights of data subjects, as well as in to be an agent propagating the importance of rights relating to privacy and the protection of personal data”.
The page also provides contacts for questions and complaints about this issue and a link to a portal on the rights of holders of personal data.
Collaborated: Felipe Ventura