“Hole” in State Services: the vulnerability made it possible to access and change data simply by a phone number

The vulnerability allowed access to the personal account of any user using a phone number. It is noted that this “hole” had already been closed in the application at the time of publication. 

Using this vulnerability, attackers could obtain all the information specified by the user on the Moscow services website. Including the last name, first name and patronymic, e-mail address, year of birth, OMS and SNILS policy number, list of movable and immovable property, information about the presence of a passport, about children, students in schools, and so on.

Simultaneously, having in hand the OMS policy number and year of birth, you can get access to medical information through the UMIAS system. For example, doctors the person visits, the prescriptions prescribed for him, and the history of attachment to clinics. 

Access to the personal account also allowed changing user data. As a demonstration, a Postuf representative entered information about a non-existent car into an RBC correspondent profile, and it almost immediately appeared on the user’s page.