A financial failure of the Portal of Finance allowed to change the password of a person's account to know only the number of taxpayers. In theory, the problem – already solved – can be exploited by attackers to gain access to each user's financial information.
The error was discovered by Miguel de Moura, a technical student at the Instituto Superior Técnico at the age of 22 who recently described the process on his personal website. The student says he hoped the Finance Portal would solve the problems before revealing them, a common practice in cybersecurity.
"Changing someone's password, which is the most serious, took only a few seconds," Miguel de Moura told PÚBLICO. The case was claimed by the magazine Computer research.
PÚBLICO contacted the Ministry of Finance on Wednesday afternoon. The ministry replied that it could not provide answers until the time of publication of this article.
Miguel de Moura explained in two published texts onlinebecause it experienced several shortcomings on the financial portal. In addition to the change of the password, the texts mention other problems, such as techniques to find someone's phone number of his NIF, and the possibility of phishing (made to ensure that a user provides sensitive data) use addresses online legitimate of the Finance Portal, modified to contain harmful content.
The process involved inspecting the page code online from the Finance Portal, something that anyone can do. Next to the fields visible on the website (such as New password and Confirm new password) you can access hidden form fields, such as the NIF that is linked to a mobile number. With computer skills it was possible to change these elements.
"Most forms online has secret fields. In the case of a password change request from the Bail Bonds Portal, it was pre-filled forms with the NIF of the users, to which a normal user did not have access, but which were surprisingly easy to find and change, "Moura explains.
"The attacker did not even have to link the mobile number to someone's NIF," he says. It was sufficient for someone to simulate the process of password retrieval in order to link a new password to another NIF.
"Among the other problems I reported, the most worrying schemes that you used to manipulate the Ministry of Finance's URL were to include parts of malicious code, which was facilitated. phishing to steal people's data, "says the student." When someone tried to authenticate in the Finance Portal, in the option to recover the password, it was also possible to escape the secret question and view the phone numbers from here that are linked to a NIF. "
The student contacted the Finance Portal support line the first day he discovered the errors. The next day he tried the National Data Protection Commission (CNPD). But the process took time. "Only in May, after a phone call of half an hour, I was transferred to different authorities, so that I could reach the competent authorities," he says. "Someone finally listened and sent my call to the person who could solve the problem."