The personal information of more than 243 million Brazilians was potentially accessible for at least six months thanks to weakly encoded credentials kept in the source code of the Brazilian Ministry of Health’s website (via ZDNet). The security issue was first reported by Brazilian publication Estadão.
The personal data of anyone who had registered with Sistema Único de Saúde (SUS), Brazil’s national health system, could be viewed. That data included people’s full names, addresses, and telephone numbers, reported Estadão. The database also includes records of living and dead people as the population of Brazil was more than 211 million in 2019, according to The World Bank, which is about 32 million fewer people than the reported number of records that were potentially accessible.
The Ministry of Health’s website stored the encoded access credentials to the database of personal information in its source code, reports Estadão. However, the login and password were encoded using Base64, a method that can be easily decoded. Given that you can look at any website’s source code with a keyboard shortcut or by accessing it in a menu, potentially anyone could have found these encrypted credentials and, if they were savvy enough, decoded them to then access the personal records of Brazilians.
Health records can be quite valuable on the black market given the amount of personal information they often include. If a bad actor knew of this vulnerability, it’s very possible they could have taken this data to use for their own nefarious purposes or to sell later. The Ministry of Health has corrected the problem, according to Estadão.