Specialists of the company Postuf reported a vulnerability in the application of the Moscow State Services, with which it was possible to gain access to the account, knowing only the user's mobile number.
This made it possible to get all the information that the user specified on the site: full name, e-mail, year of birth, medical insurance number, list of movable and immovable property, information about the foreign passport, about children, students in schools, etc. Knowing the number of the medical insurance number and the year of birth, it was possible to get access to medical information: which doctors a person visits, what prescriptions are written to him, the history of attachment to clinics, etc.
"The vulnerability made it possible not just to view, but also to change the data", said the founder of the company Postuf Bekhan Gendargenoevsky.
The expert notes that it is impossible to cause serious harm by knowing the data from the portal, but personal data can be used by hackers for phishing attacks.
"It is impossible to steal money directly [with such information], although hackers can use their knowledge in social engineering and try to steal bank card data from a person," said the computer security specialist.
He also noted that since the system has no restrictions on the number of requests for access to accounts, requesting the so-called beautiful numbers, it was possible to get information "about a number of well-known personalities who, as a rule, have such numbers."
A representative of the Moscow Department of Information Technology did not confirm the information about the vulnerability, stressing that authorization in the ..