The Eleja Online website, which handles this Vasco election, allowed access to personal data using a specific URL including the registration number; this was confirmed by Tecnoblog. The browser displayed the following data:
- full name
- date of birth
- registration number
- category (general, patrimonial, redeemed, benefactor redeemed, etc.)
The security expert who analyzed this flaw tells the Tecnoblog who created a script (made in PHP with cURL) to “kick” the registration number using random strings and record the valid results. “From about 7 thousand consultations, I got these 5,590 registrations, that in less than 2 hours running”, says the source.
According to him, the page used Cloudflare – which protects websites against DDoS and other threats – but there was nothing to prevent brute force attacks. In this way, it was possible to collect thousands of data without any blocking.
Vasco promised data privacy
However, the text – last updated on November 10 – erroneously said that the LGPD is not yet in force; in fact, it started to take effect in September. In addition, the website made some promises that it could not keep, for example: “we guarantee that only the General Assembly of the Club de Regatas Vasco da Gama has access to your personal data collected through this website”.
We also have the following: “the president of the General Assembly of the Club de Regatas Vasco da Gama adopted all security measures through a careful selection of the company responsible for data collection and operation of the virtual election system”.
LGPD punishments range from a warning to a 2% fine on annual sales, limited to R $ 50 million. This depends on the ANPD (National Data Protection Authority), whose members are still being defined. However, anyone who is affected by a leak can file a lawsuit in court.
The exposed data of supporters can make Vasco’s election even more tumultuous. The online voting should take place this Saturday (14), but candidates Leven Siano, Sérgio Frias and Alexandre Campello (current president) resigned. Leven states that he is already president-elect by another vote that took place last Saturday (7), and whose effect was suspended by the STJ (Superior Court of Justice).
O Tecnoblog contacted Vasco and Eleja Online, but got no response.
Vasco’s website discloses members’ CPF
After the publication of this post, a reader pointed out that Vasco’s website has a list with information of almost 8,500 voters, including full name, CPF, admission date, date of birth, registration number and social category.
The list consists of several images gathered in a PDF, so there is no way to search the data easily. However, there is a way to convert this type of file into an Excel spreadsheet.
Updated at 14:40