The Fui Vazado website was created as a way to check who was affected by the leak of 223 million CPFs, and to know what other personal data is for sale, including phone, address, credit score and more. After several questions about security and privacy, the developer Allan Fernando tried to resolve some doubts and released the source code of the system (without the credentials for access). Experts say where the service can still improve.
How does the Fui Vazado website work?
As revealed by Tecnoblog, the leaked data is for sale on the dark web and the open internet, with payment only in bitcoin and prices ranging from $ 0.075 to $ 1 per CPF (depending on the quantity purchased).
To have more credibility, the seller offered a free sample of all 37 categories, including e-mail, telephone, address, ID, voter registration, situation at the Federal Revenue Service, employment, face photo, debtors, income, INSS, FGTS, among others.
Some CPFs do not have data for certain categories: for example, only a portion of Brazilians receive assistance from the INSS. Therefore, the seller shows in a huge list the information he has for each CPF, as you can see in the image below:
The symbol • indicates what data was exposed on a specific CPF; otherwise, the × symbol appears. The numbers at the top correspond to the 37 different categories in the leak: 01 corresponds to “basic” (name, gender, father and mother name); 02 is “email”; 03 is “phone”; and so it goes.
It is not necessary to have a free sample of the leak to gain access to this list, because it was offered (also for free) as a separate download. In addition, there is the list of 223 million CPFs with date of birth and full name that was released in full at no cost.
Allan is using these text files to report what data has been leaked from each person, without revealing the information itself:
Fui Vazado opens source code and answers questions
After several requests, Allan released the source code of the site on GitHub. He basically queries the list released by the hacker – which we mentioned above – to find out what data is in the complete leak.
The developer used PHP to query a MongoDB database. It is necessary to have a username and password to access this information, something that Allan did not disclose. “The database and CSV files for generating it will not be released, this code is just to show the functionality of the website,” he explains on GitHub.
Still, there are those who suspect the Fui Vazado. “I don’t know exactly what to say to anyone who doesn’t trust, I made the website because I think everyone has the right to know if their data has been leaked,” says Allan. Tecnoblog.
Since the site was launched, Allan says that “there are a lot of people praising the work”, but he has been receiving basically two types of questions:
- the site is legitimate, isn’t it just collecting data? The developer explains that “the website does not store the data of the consultations, and only queries data already leaked”.
- will the information be sold? Does the developer sell the database? “I explain that I only have the indications that the data was leaked, not the data itself,” says Allan.
Fui Vazado does not record consultation history
Allan Fernando tells the Tecnoblog who created Fui Vazado due to the difficulty in knowing if the data itself was leaked. “The entire development was done only by me,” he says. In the past few days, it has migrated from server and database to withstand high demand.
The main help is in the form of donations to maintain the site: “there are a lot of people donating, it still doesn’t cover all costs, but it already helps a lot”. He says that the total of single accesses reaches 700 thousand, “so I imagine that of consultations is already close to 1 million or even more than that”.
According to Allan, there is no way to know the exact number of consultations because there is no logging system recording the history of this, not even the CPF and date of birth entered for the consultation; he claims to have only CloudFlare data on access IPs.
We asked if it would be possible to include only part of the CPF for the consultation, instead of the entire number, validating this with the date of birth. Allan argues that “such a query would require more from the database, which is already overloaded”; and states that, due to the amount of data, two people can have the same date of birth and the same part of CPF.
What about the possibility of using a validator instead of the CPF number? “Nobody talked to me” about it, says Allan. “One way I know to validate this would be with the e-CPF, but this is something expensive and that few have, which would make it difficult for most people to access the site.”
What can improve in Fui Vazado?
And, above all, the platform should protect data using hash and salt algorithms, instead of storing them in plain text. This means using a function to convert each CPF into a character string. That way, if someone gets improper access to the database, they would have no way of knowing which person they belong to.
This would require more resources from the site, which already has a high volume of accesses, but Gustavo argues to the Tecnoblog: “To make a consultation platform, the developer needs to put resources in order to be able to scale [expandir]; I understand that it is voluntary work, but we need good security practices ”.
Diego Aranha, professor of computer science at Aarhus University (Denmark), gives some suggestions on how to improve privacy. One is the penalty hash function, which forces each query to spend computing time on the user’s device. In this way, “someone who is trying to mine the base will have a greater penalty for doing so at scale”.
Another possibility is a technology that has already been used by Google, called a cryptographic protocol for private intersection of sets. Here, the server encrypts the database in a way that allows queries, but destroys the original database. Of course, this “depends on trust in the server to actually delete the sensitive base”, he explains to the Tecnoblog.
Fui Vazado “can be converted into a public service”
Rafael Zanatta, director of the Data Privacy Brasil Research Association, says on Twitter that “Allan’s project can be converted into a public service within a strategic contingency plan”. He argues that “the Ministry of Justice should, at the very least, build something out of his project and his open source”.
To Tecnoblog, Zanatta explains that the Ministry of Justice has the resources of the FDD (Fund for Diffuse Rights) and for that reason it would be better able to create this type of experimental project. The ANPD (National Data Protection Authority), on the other hand, would have scarcer resources, a short budget and few people.
To transform Fui Vazado as a public service, it would be possible to issue an ordinance starting the working group and inviting specialists from all over Brazil to the project. Zanatta sees Allan’s project as “a case of civic innovation” that should be an inspiration for the government.
In addition, it would be necessary to break with the idea that the responsibility rests with everyone. He quotes Julie E. Cohen, a law professor at Georgetown University: she has been arguing for years that it is not possible to protect privacy by focusing only on each individual.
For Zanatta, people need support from the government: links to Fui Vazado and news about the leak started to circulate strongly in WhatsApp groups, but people are feeling adrift, not knowing what to do. As an example, he mentions IdentifyTheft.gov, maintained by the US government, which helps victims of misrepresentation.