The web database of the event held in Catalonia on October 1, would be compromised, by the web duplication system, through the IPFS protocol.
This website is about hardware and technology and politics (or whatever they are supposed to do), we are going to leave it to the politicians, but there is something very important about the 'referendum' held in Catalonia this past weekend. The Spanish state's blocking of the web pages for this event, which forced the organizers to use the IPFS protocol, something that is a very serious error. Using this protocol has exposed the data of the voters.
Sergio Lopez (@ slp1605, on Twitter), has uncovered this problem and without being a technological professional or related to computer security issues. This user has realized that anyone with his home computer, can see the name, NIF, date of birth and all the personal data of the voters of the event last weekend. The data has possibly already been obtained by many astute, something that could lead to the impersonation of users.
Hacker News echoed the use of those responsible for the October 1 event, of the InterPlanetary File System or IPFS, something that led López to seek more data. The protocol 'makes the web faster, safer and more open', as it can be read on the web and that simply duplicates the web sites, with their contents, codes and databases, using the users who access it as nodes of the site Web. To avoid crashes, that's fine, but the problem is that the database is exposed, as López explains. Facilitating access to the database is a big problem, but the design of this database makes the potential attack and obtaining it simpler.
The entries defined by NIF, date of birth and postal code, have a code generated by hash with 1714 interactions of SHA-256 algorithm. The number of 1714 corresponds to September 11, 1714, which was the date that Barcelona was conquered during the War of the Spanish Succession, a date used by those related to independence. The use of the hash is not enough, since the database entries have not been encrypted, nor do they have salt, which encrypts each of the entries for data protection. This makes attacks easy, as López says.
This user has also commented that he, who has basic knowledge in security and cryptography, has been able to access, assures that hackers with great knowledge have this data for a long time and invites the developers of these websites, to remove them for security. This security problem is very important and can lead many users to file lawsuits, for not guaranteeing the security and privacy of their personal data.
