When it comes to protection of personal data, the Brazil is in a critical position. A recent example of carelessness with sensitive information comes from the old Ministry of Labour (MTE): a flaw in an API on the agency’s website allowed details such as full name and address of citizens to be extracted with CPF queries, without any type of authentication.
The problem was revealed to the Tecnoblog by a security expert who identifies himself only as Andrey. He says he discovered the vulnerability in the second week of February.
At the time, the failure was reported by Andrey, via e-mail, to the Center for Treatment and Response to Government Cyber Incidents (CTIR) and to the MTE itself, an organ that, in fact, was converted into Secretariat of Labor of the Ministry of Economy in 2019.
But, as of today, no solution had been applied – in the initial contact, CTIR just responded to Andrey with a standard “notification in progress” message.
Youth Web System
The vulnerability involved the address of the Youth Web, a relatively old system, the first version of which dates back to 2009. The site was created by the then MTE for the National Register of Professional Learning (CNAP), a program for registering qualified entities for technical and professional training.
Through a specific request to the address www.jouthweb.mte.gov.br next to a CPF number, it was possible to extract the following data from the individual associated with the document, without the website asking for a password or other type of authentication:
- Full name;
- Date of birth;
- House number;
- ZIP CODE;
- Mother’s name.
Using a small script provided by Andrey, the Tecnoblog was able to prove the vulnerability in the morning of this Friday (19). All CPF queries tested by us returned the list information.
The most disturbing part is that, apparently, the database used by the system is shared with other government services. This is because, during the verification of the problem, we were able to obtain data from people who, in theory, should not be included in MTE records due to factors such as age or activity performed.
Andrey himself found that the MTE website revealed information about children and deceased people, for example.
As the Youth Web system is old, it is likely that the gap has spent a lot of time being explored. Andrey reports that he recently found more than 15 specific scripts for the vulnerability in online repositories. When he heard about it in February, he had found only five scripts, which suggests that the problem was quickly becoming known.
Site goes down after Tecnoblog contact
After checking the problem, the Tecnoblog contacted the Secretariat of Labor by email. Around 4 pm today, we received a response from the Secretariat for Public Policies for Employment of the Special Secretariat for Productivity, Employment and Competitiveness of the Ministry of Economy (SPPE / SEPEC / ME) with the following response:
As soon as we became aware of the problem, we requested that the page, which was about to be deactivated, be taken down, as has already happened.
In fact, we found that, hours after our contact, the Juventude Web site stopped working and no longer gave access to the data.
Also according to SPPE / SEPEC / ME, Juventude Web was replaced by two registration systems that can be accessed from the Professional Learning page.