“Hole” in State Services: the vulnerability made it possible to access and change data simply by a phone number

“Hole” in State Services: the vulnerability made it possible to access and change data simply by a phone number

Cybersecurity company Postuf has discovered a dangerous vulnerability in the Moscow State Services mobile application for Android.

The vulnerability allowed using a phone number to gain access to the personal account of any user. It is noted that at the time of publication this “hole” had already been closed in the application.

Using this vulnerability, attackers could obtain all the information specified by the user on the Moscow services website. Including, last name, first name and patronymic, e-mail address, year of birth, OMS and SNILS policy number, list of movable and immovable property, information about the presence of a passport, about children, students in schools, and so on.

At the same time, having in hand the OMS policy number and the year of birth, you can access medical information through the UMIAS system. For example, which doctors the person visits, the prescriptions prescribed for him and the history of attachment to clinics.

Access to the personal account also allowed changing user data. As a demonstration, a Postuf representative entered information about a non-existent car into the profile of a RBC correspondent, and it almost immediately appeared on the user’s page.

“Hole” in State Services: the vulnerability made it possible to access and change data simply by a phone number

Leave a Comment