On December 25, a publication appeared on the Cybersec hacker website, in which the author posted the source code of Public Services Portal in open access. According to him, the data was downloaded from resources from mos.ru subdomains.
The author of Cybersec discovered an open repository containing the source code of Public Services Portal in the format.git and unencrypted. In addition to the source code, the leak contains ESIA certificates that can be used to hack accounts.
After studying the code, it turned out that the Public Services Portal was created on the Bitrix engine, and the ESIA authorization system was based on OpenID. The author noted that his study will help to find other vulnerabilities of the system and close them or wrap them in his side and steal user data.
Also in the article, the author said that before publication he turned to the administration of Public Services Portal to tell about the data leak. However, they only asked him for a detailed description of the leak and its confirmation, and after that they stopped responding at all.
The head of the analytical center specializing in information security, Zecurion, Vladimir Ulyanov, said that most likely the fault is the usual human factor. In such cases, it is always either someone simply made a mistake due to lack of competence or carelessness and allowed the code to be disclosed, or it is a deliberate leak of information from those who have access to the source code.
Ashot Oganesyan, the founder of the DLBI data leak intelligence and monitoring service, said that user data did not get into the Network. However, it cannot be ruled out that the compromised code will allow attackers to gain access to them in the future.
