Data of 243 Million Brazilians Exposed Online via Website Source Code

The personal information of more than 243 million Brazilians, including alive and deceased, has been exposed online after web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health's website for at least six months. From a report: The security snafu was discovered by reporters from Brazilian newspaper Estadao, the same newspaper that last week discovered that a Sao Paolo hospital leaked personal and health information for more than 16 million Brazilian COVID-19 patients after an employee uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on GitHub. Estadao reporters said they were inspired by a report filed in June by Brazilian NGO Open Knowledge Brasil (OKBR), which, at the time, reported that a similar government website also left exposed login information for another government database in the site's source code. Since a website's source code can be accessed and reviewed by anyone pressing F12 inside their browser, Estadao reporters searched for similar issues in other government sites.

Wow

[nagora]

That must be the most specialised porn site I've ever heard of.

How many?

[Okian Warrior]

How many is a Brazillion?

Re:

[DontBeAMoran]

One Gazillion Trizillion.

lot's of apps have DB passwords in plan txt

[Joe_Dragon]

lot's of apps have DB passwords in plan text in the config files but why is an config file part of the page source?

Re:

[PPH]

Some (not so bright) site developers place config files, password files and other stuff in the file space deliverable by the web server. It's just a simple matter of guessing the file name, sticking it in a URL and fetching it.

BS or bad journalism?

[flvrms]

"The current population of Brazil is 213,197,088 as of Thursday, December 3, 2020, based on Worldometer elaboration of the latest United Nations data." https://www.worldometers.info/... [worldometers.info]

Re:

[dhaen]

No. Including live AND deceased.

Re: BS or bad journalism?

[flvrms]

So, every brazilian ever lived in the past 20 or 30 years? I'm too lazy to do the math, but the number doesn't make sense!

Re:

[Nidi62]

So, every brazilian ever lived in the past 20 or 30 years?

I'm too lazy to do the math, but the number doesn't make sense!

Brazil pop was 209.5 million as of 2018. Mean death rate for Brazil from 1993-2018 is roughly 6.3 per 1k individuals per year. With rounding, you get 1,260,000 dead per year. Over 25 years that is 31,500,000 dead. 31.5m plus 210m is 241.5 million. Yep, sounds about accurate to me.

Re:

[billybob2001]

Data of 243 Bazillion Millennials Exposed Online via Website Source Code

That's modern journalism!

Re:

[geekmux]

"The current population of Brazil is 213,197,088 as of Thursday, December 3, 2020, based on Worldometer elaboration of the latest United Nations data." https://www.worldometers.info/... [worldometers.info]

It's actually a simple matter of RTFS, or at least the first part of the first sentence.

"The personal information of more than 243 million Brazilians, including alive and deceased..."

Re: BS or bad journalism?

[flvrms]

That's the main problem. People sometimes read but don't think. But, you know what.. nevermind.

Re:

[Dog-Cow]

Well, if you would start with reading, you can move up to thinking in time.

243 million Brazilian?

[rsilvergun]

My God, I don't even know how many zeros that is.

Re:

[tonique]

He just misspelt "brazillion".

Re:

[rsilvergun]

That's even more! I think. I don't know. I was told there would be no math.

Re:

[DontBeAMoran]

Math is hard. Let's go shopping!

Re:

[Anonymous Coward]

Million, billion, trillion, brazillion...

Can we have some technical accuracy on /.?

[whoever57]

Since a website's source code can be accessed and reviewed by anyone pressing F12 inside their browser,

No, it doesn't work like that. The HTML that the website sends to the browser can be accessed, but not the source code itself.

Re:

[whoever57]

I should add that the source of the scripts that the website sends to the browser can also be viewed and I wonder if one of the scripts contained the password.

Re:

[Rui del-Negro]

Simply replacing "website" with "web page" would cover it.

Re:

[raymorris]

So, back before you kids started importimg 600 million lines of JavaScript and Python frameworks in order to use the "header"function, we just typed:

<h1>Main Topics</h1>

Yeah, the html source can be the source.

Some say "it's so much faster to use ###".
Then we always have a race to see who can build a simple web page the quickest and I'm done right about the time their IDE finishes loading all it's plugins.

Re:

[whoever57]

So, back before you kids ...

Ha! I'm probably older than you.

Re:

[raymorris]

And you still thought you need to have a .net or Python application dynamically generate all html, you can didn't think static pages could exist?

Re:

[whoever57]

And you still thought you need to have a .net or Python application dynamically generate all html, you can didn't think static pages could exist?

When did you last see a website that is pure HTML? It's not that they don't exist, it's that they are very rare these days. Remember that the claim wasn't that the page's source code was visible, it was that the website's source code was visible. The implication is the entire website source code, not a single page.

As a brazilian, be sure of that:

[Anonymous Coward]

We don't care.

Nobody thinks it could have been malicious intent?

[mattr]

After the past 4 years I'm leaning heavily toward "ascribe to malicious intent rather than assume incompetence".