Stream: social
Topic: An error in Madrid vaccination website leaks data
Diego Bosca (Jul 08 2021 at 16:13):
Text in Spanish, but do you see something interesting in the image? :grinning_face_with_smiling_eyes:
https://www.eldiario.es/tecnologia/fallo-web-sanidad-madrid-deja-descubierto-datos-rey-miles-personas_1_8114359.html
Also, I think they are using the extensions wrong :thinking:
John Moehrke (Jul 08 2021 at 17:15):
I think they figured if they used extensions, then people would not notice that the patients full name is in the json.... obscurity based security
Paul Church (Jul 08 2021 at 17:22):
I think that's just because the paternal and maternal family names are treated differently. Is there something wrong with the extensions? They look plausible to me.
John Moehrke (Jul 08 2021 at 17:41):
my point is that the fact the name is there is the FACT of the "website leak". Had the data just used opaque identifiers, the data would have not been otherwise identifiable (well, they did use the individual's EU identifier). So many failures.. but obscurity through use of an extension was my point.
Vassil Peytchev (Jul 08 2021 at 19:21):
I don't think these particular extensions have anything to do with obscurity - the handling of non-English based names almost always requires extensions. In this particular case, in Spanish the family name is concatenation of paternal and maternal names, and which is which is probably part of the demographics.
Diego Bosca (Jul 09 2021 at 00:17):
yeah, the initial capture didn't have the extension url censored, but somehow they decided the uri to the extension itself was also a patient information
Diego Bosca (Jul 09 2021 at 00:18):
Paul Church said:
I think that's just because the paternal and maternal family names are treated differently. Is there something wrong with the extensions? They look plausible to me.
I believe that extensions are only valid inside a humanname.family attribute, not directly over the name
Jose Costa Teixeira (Jul 09 2021 at 09:02):
The extensions look fine. The resource shown seems to be a Patient, so what I understand is that is was possible for some time to do a GET /Patient?identifier=15 and get the Patient resource for the king
John Moehrke (Jul 09 2021 at 11:48):
not just the king... anyone.. all you needed was the EU identifier... and there was no protection against brute force attacks just sequentially going thru numbers
Diego Bosca (Jul 12 2021 at 09:39):
That's right
Diego Bosca (Jul 12 2021 at 09:41):
Jose Costa Teixeira said:
The extensions look fine.
wouldn't the father/mother name extension go into a "_family" json element?
Jose Costa Teixeira (Jul 12 2021 at 10:11):
You are right. I don't see the full URL, but then I looked and these really seem the standard FHIR extensions
Jose Costa Teixeira (Jul 12 2021 at 10:14):
so, you could make extensions on the name, but if the url that is redacted is http://hl7.org/fhir/StructureDefinition/humanname-fathers-family, those extensions are indeed not in the correct place.
Jens Villadsen (Jul 12 2021 at 17:57):
What is an EU identifier (asking as an EU citizen)?
Jose Costa Teixeira (Jul 12 2021 at 20:00):
There is no such thing (at least I prefer to think there's no such thing)
Diego Bosca (Jul 13 2021 at 11:17):
yeah @Jose Costa Teixeira , newspaper censored the uri of the extension a couple of hours after they published it (not sure why they would do that...). The uris were humanname-fathers-family and humanname-mothers-family
Last updated: Apr 12 2022 at 19:14 UTC
