The non-public data of greater than 243 million Brazilians was probably accessible for at the least six months because of weakly encoded credentials stored within the supply code of the Brazilian Ministry of Well being’s web site (via ZDNet). The safety situation was first reported by Brazilian publication Estadão.
The non-public information of anybody who had registered with Sistema Único de Saúde (SUS), Brazil’s nationwide well being system, could possibly be considered. That information included individuals’s full names, addresses, and phone numbers, reported Estadão. The database additionally contains data of dwelling and lifeless individuals because the inhabitants of Brazil was greater than 211 million in 2019, according to The World Bank, which is about 32 million fewer individuals than the reported variety of data that had been probably accessible.
The Ministry of Well being’s web site saved the encoded entry credentials to the database of non-public data in its supply code, studies Estadão. Nevertheless, the login and password had been encoded utilizing Base64, a way that may be simply decoded. Given you could take a look at any web site’s supply code with a keyboard shortcut or by accessing it in a menu, probably anybody might have discovered these encrypted credentials and, in the event that they had been savvy sufficient, decoded them to then entry the non-public data of Brazilians.
Well being data may be quite valuable on the black market given the quantity of non-public data they usually embrace. If a nasty actor knew of this vulnerability, it’s very potential they may have taken this information to make use of for their very own nefarious functions or to promote later. The Ministry of Well being has corrected the issue, in keeping with Estadão.