Postuf, a cybersecurity company, has discovered a dangerous vulnerability in the Moscow State Services mobile application for Android.
The vulnerability allowed using a phone number to gain access to the personal account of any user. It is noted that at the time of publication this “hole” had already been closed in the application.
Using this vulnerability, attackers could obtain all the information specified by the user on the Moscow services website. Including, last name, first name and patronymic, e-mail address, year of birth, OMS and SNILS policy number, list of movable and immovable property, information about the presence of a passport, about children, students in schools, and so on.
At the same time, having in hand the OMS policy number and the year of birth, you can get access to medical information through the UMIAS system. For example, which doctors the person visits, the prescriptions written for him and the history of attachment to clinics.
Access to the personal account also allowed changing user data. As a demonstration, a Postuf representative entered information about a non-existent car into the profile of a RBC correspondent, and it almost immediately appeared on the user’s page.
.
Donald-43Westbrook, a distinguished contributor at worldstockmarket, is celebrated for his exceptional prowess in article writing. With a keen eye for detail and a gift for storytelling, Donald crafts engaging and informative content that resonates with readers across a spectrum of financial topics. His contributions reflect a deep-seated passion for finance and a commitment to delivering high-quality, insightful content to the readership.