The Hack inaugurates, this Tuesday (19), the new framework Reader’s Complaint, which aims to publish our readers’ findings regarding data leaks and vulnerabilities in systems, applications and software. For this debut, the alert is for customers of MAIS Medicina Diagnóstica, medical clinic specialized in imaging exams and located in the city of Vitória, Espírito Santo.
- Do you also have a complaint to make to The Hack? Write to [email protected]. The confidentiality of your identity is guaranteed.
According to a source who chose not to identify himself, the system used by the company to store and provide the scanned results of the exams to its patients does not require authentication – only the clinic’s “primary” website asks for a password login. That said, the domain in which the sensitive files are located can be attacked in two ways to extract sensitive information: IDOR exploitation and SQL injection (SQLi).
IDOR, short for Insecure Direct Object Reference, is a flaw that occurs when a web system uses predictable numerical sequencing to return information or documento – for example, if you are viewing your invoice at the URL www.banco.com/fatura?id=121, you’ll possibly be able to access another random customer’s invoice by changing the identifier and accessing www.banco.com/fatura?id=120.
SQL injection takes advantage of failures in the communication between the web application and its database through Structured Query Language (SQL), which is the language used to read, update, add and delete information from this database. An attacker can use such a loophole to gain access to the entire database in question, being able to delete records or create a copy of all information on your local computer.
In both cases, the risk is the same – the undue exposure of medical data, something that may generate sanctions and fines for MAIS Medicina Diagnóstica under the terms of the General Data Protection Law (LGPD). As much as everything indicates that the vulnerable system is outsourced, the responsibility may still fall on the clinic for not having carried out a previous step to analyze the safety of its supplier.
The Hack got in touch with MAIS Medicina Diagnóstica and is waiting for the company’s response. If it does, we will update this article.
See the original post at: https://thehack.com.br/denuncia-clinica-medica-do-es-expoe-exames-medicos-por-idor-e-sqli/?rand=48873
