Vasco’s election site exposes data on supporter members | Antivirus and Security

The Club de Regatas Vasco da Gama carried out a registration this week so that its supporters can vote for the next president of the team. However, the website responsible for this exposed the data of thousands of users, including full name, date of birth and CPF, according to the Tecnoblog. In its privacy policy, the club promised to respect the LGPD (General Law for the Protection of Personal Data).

Vasco da Gama (Image: Luis Wilker Perelo / Pixabay

The Eleja Online website, which handles this Vasco election, allowed access to personal data using a specific URL including the registration number; this was confirmed by Tecnoblog. The browser displayed the following data:

  • ID
  • full name
  • CPF
  • date of birth
  • registration number
  • category (general, patrimonial, redeemed, benefactor redeemed, etc.)

The security expert who analyzed this flaw tells the Tecnoblog who created a script (made in PHP with cURL) to “kick” the registration number using random strings and record the valid results. “From about 7 thousand consultations, I got these 5,590 registrations, that in less than 2 hours running”, says the source.

Leaking data from Vasco supporters (Image: Reproduction)

Leaking data from Vasco supporters (Image: Reproduction)

According to him, the page used Cloudflare – which protects websites against DDoS and other threats – but there was nothing to prevent brute force attacks. In this way, it was possible to collect thousands of data without any blocking.

Vasco promised data privacy

The registration page is currently down. When visiting it, a pop-up with the privacy policy appeared, mentioning “the commitment of the Ordinary General Assembly of the Club de Regatas Vasco da Gama to transparency and the protection of your personal data”.

However, the text – last updated on November 10 – erroneously said that the LGPD is not yet in force; in fact, it started to take effect in September. In addition, the website made some promises that it could not keep, for example: “we guarantee that only the General Assembly of the Club de Regatas Vasco da Gama has access to your personal data collected through this website”.

We also have the following: “the president of the General Assembly of the Club de Regatas Vasco da Gama adopted all security measures through a careful selection of the company responsible for data collection and operation of the virtual election system”.

Vasco's privacy policy (Image: Reproduction / Elect Online)

Vasco’s privacy policy (Image: Reproduction / Elect Online)

LGPD punishments range from a warning to a 2% fine on annual sales, limited to R $ 50 million. This depends on the ANPD (National Data Protection Authority), whose members are still being defined. However, anyone who is affected by a leak can file a lawsuit in court.

The exposed data of supporters can make Vasco’s election even more tumultuous. The online voting should take place this Saturday (14), but candidates Leven Siano, Sérgio Frias and Alexandre Campello (current president) resigned. Leven states that he is already president-elect by another vote that took place last Saturday (7), and whose effect was suspended by the STJ (Superior Court of Justice).

O Tecnoblog contacted Vasco and Eleja Online, but got no response.

Vasco’s website discloses members’ CPF

After the publication of this post, a reader pointed out that Vasco’s website has a list with information of almost 8,500 voters, including full name, CPF, admission date, date of birth, registration number and social category.

The list consists of several images gathered in a PDF, so there is no way to search the data easily. However, there is a way to convert this type of file into an Excel spreadsheet.

Vasco voters data (Image: Reproduction / Vasco)

Vasco voters data (Image: Reproduction / Vasco)

Updated at 14:40

Leave a Comment