Estonia Says a Hacker Downloaded 286,000 ID Photos From Government Database

Estonian officials said they arrested last week a local suspect who used a vulnerability to gain access to a government database and downloaded government ID photos for 286,438 Estonians. From a report: The attack took place earlier this month, and the suspect was arrested last week on July 23, Estonian police said in a press conference yesterday, July 28. The identity of the attacker was not disclosed, and he was only identified as a Tallinn-based male. Officials said the suspect discovered a vulnerability in a database managed by the Information System Authority (RIA), the Estonian government agency which manages the country's IT systems.

Re:

[BeerFartMoron]

I thought Estonia was the world leader in electronic identification and elections. Are you telling me that it was all built on a poorly maintained LAMP stack?

Nope, a poorly designed authentication system.

To exploit the vulnerability, RIA said the attacker had to provide the name of an Estonian citizen, along with their correct personal identification code.

Re:

[pisi]

I would not say poorly _designed_ - mutual TLS with a smart card backed x509 certificate is considered one of the strongest authentication systems out there. But forgetting to do actual certificate verification or doing it in some weird homegrown way or forgetting to synchronize assumptions between some TLS termination proxy and backend system (where a proxy terminates the TLS with _any_ client certificate and passes the certificate for verification as an extra header to backend system) is the likely culpr

Re:

[r2kordmaa]

Considering the script kiddie was local and was fairly quickly found and arrested, I'd say there is a pretty good chance he was also on government payroll and working on the compromised systems. If any random hacker were to attack Estonian IT systems, well seven billion against a million that they would be from outside Estonia, the obvious conclusion is that there was some personal connection between the attacker and the government agencies or companies working with the IT systems in question. Considering t

Re: Estonia was the leader in electronic IDs

[shitzu]

API call was allowed without limiting the client certâ(TM)s signer by mistake.

Re:

[Alain Williams]

Also e-Residents of Estonia [wikipedia.org] - something that I have just become to help with Brexit [wikipedia.org]. I do not know how many of us there are.

My observation

[Gabest]

July 16 – SK ID Solutions informs RIA of a higher number of queries.
July 21 – RIA detects the mass download of data from the Identity Documents Database (KMAIS) through additional monitoring and closes the service.

Well, 17-18 was weekend, then they remembered to do something about it on wednesday.

Re:

[BeerFartMoron]

Weekend hangover lasts until Wednesday? Estonia ranks #19 in per capita alcohol consumption [wikipedia.org].

Re:

[DrMrLordX]

Outdone by Lithuania. In a big way.

Could have gotten 2x as many with far less hassle

[sabbede]

How? Well, there are around 750,000 Estonian Facebook users.