Hacker finds sensitive data exposed at CAIXA, DATASUS, USP and others

Data from Brazilians are exposed and have easy access through the most widely used online tool in the world: Google. Specifically, we are talking about information such as full name, CPF, date of birth, home address, memos, internal and confidential documents opened on the websites of institutions such as the University of São Paulo (USP), Federal University of Rio de Janeiro (UFRJ), Caixa Econômica Federal, Unified Health System (SUS), Sefaz and others.

Complete unpreparedness and disregard for national digital security

The discovery was made by security researcher Pedro Antônio, known virtually as “Pedr4uz”, together with his XPSec Security team, who did not have to break into any system to find this information: everything was open and indexed on Google. This technique of searching for exposed data, flaws or vulnerabilities is known as Google Hacking.

According to Pedr4uz, in addition to the private information of members of such institutions and databases released on the internet, several of the Word, PowerPoint & PDF files internal to the mentioned institutions presented access credentials (users, emails and passwords) in plain text. This means that practically anyone could access sensitive information from the systems via Google. They were and are still there, ready to be used in invasions. “Sometimes, I found access credentials with the highest privileges, such as administrator privileges”, says the researcher.


National neglect

“As if there were not enough information available, sufficient for use in countless digital frauds, the amount of access credentials (including administrator) exposed due to complete unpreparedness and disregard for national digital security, exposes hundreds of web servers, in possession of the federal government, the complete domain of specialized cybercriminals ”, adds to the TecMundo.

Any minimal security breach becomes free access in the hands of an experienced cybercriminal

And personal information was not the only problem encountered. Pedro Antônio also found some vulnerabilities such as Remote File Inclusion, Local File Inclusion, Remote Code Execution, Transversal Directory, Directory Listing and even private FTP & API passwords from Datasus, completely open on Google.

To the TecMundo, he adds: “it is essential to note that any security breach becomes free access in the hands of an experienced cybercriminal”, about how data judged even as public – CPF, in this case – can make life easier of any internet user linked to the crime.


Google Hacking

“Nevertheless, the neglect is such that there is no need for even specialized knowledge, it is trivial to the point of being handed over to anyone who asks the right questions of Google”, concludes the researcher.

Google Hacking does not require high technical knowledge or any type of system intrusion. Data like this, open for access and in the hands of anyone, shows how much work remains to reach a level of robust cybersecurity in major Brazilian institutions. It is worth noting that the companies and institutions cited in the article are just a few that the researcher found: the number is alarming, it would be an impossible task to compile how many companies are exposing data from their readers, users, customers, patients and even subscribers.

How to report to TecMundo

THE TecMundo supports the work of ethical hackers. Reports can be made on the following channels:

Leave a Comment