Insecurity as a State Policy — Argentina

By Joaquín

First of all let me introduce myself:
I’m Joaquín Serna from Buenos Aires, Argentina. I’ve been studying computers for as long as I can remember, recently graduated from a technical school after studying computer science and currently studying computer science at the Facultad de Cienciad Exactas at the Universidad of Buenos Aires.
About a month ago I was inquiring some information about Argentina’s national government at the official state website when I was redirected to this login website.

Mi Argentina login screen

This was an unseen “feature” to me but wasn’t planning on registering cause it asks your identity document and a password (which I try to keep away from the government even though I never use the same one) so instead I tried to login with our President Mauricio Macri’s identity document and see through the devtools what information was sent and received. I was deniedaccess even before it asked for a password and got the following as response.

{
"result": {
"username": "CUIL:20131204699",
"first_name": "Mauricio",
"enable": false,
"is_renaper": false,
"next": "/authorize/?client_id=613410&response_type=code&scope=openid+profile+email+optional&redirect_uri=https://mi.argentina.gob.ar/_oauth/oidc&state=eyJsb2dpblN0eWxlIjoicmVkaXJlY3QiLCJjcmVkZW50aWFsVG9rZW4iOiJBTm9SUEhZNTdqallaa1J1cSIsImlzQ29yZG92YSI6ZmFsc2UsInJlZGlyZWN0VXJsIjoiaHR0cHM6Ly9taS5hcmdlbnRpbmEuZ29iLmFyLyJ9",
"full_name": "Mauricio Macri"
},
"error": null
}

There’s more information in there that was needed for a simple “access denied”.

Since enable is false, the website does a series of redirections until it returns to the login site again without any type of error or anything else. Next thing I did was try with my own identity document to see what changes from one to another but it didn't response with some data as above, instead it throw me this error on the website with a link to register which uses the URL params to help fill some fields but instead of building this link in the browser, the error with the link was sent as the response to the login.

Login error
{
"step": "id",
"error": "El número que ingresaste no está registrado. Por favor intentá de nuevo o <a href='/registro/?next=/&fields={\"id_type\":\"CUIL\",\"id_number\":\"20XXXXXXXX4\"}' style='text-decoration: underline; color: #a94442;'>registrate</a>."
}

Next thing I tried was obviously sending some handcrafted HTML code to see what happened and as I was expecting: XSS.

XSS in login site

It isn’t a full-power XSS since the server uppercase everything and that makes it difficult to run JS functions and it is length limited.

I reported this 08/06/2018 and came back 08/11/2018 to see if it was fixed since its a simple bug. In summary it wasn’t fixed and I found something else.
To access the login site I first visited argentina.gob.ar and as soon as the web loads I saw this search form and thought were’s one XSS there’s two.

argentina.gob.ar index site

First I made a test request to see if anything was exploitable and indeed it was. After some more testing I arrived at a very decent and compact full XSS exploit using <svg onload=alert(1)><!--

XSS in argentina.gob.ar search

This two vulnerabilities have been reported and are fairly easily to fix but at the moment aren’t yet. I was hoping for the government to take its security more serious. As I have no intention to harm I didn't try doing SQL Injection in certain pages that look like exploitable entry points but I believe fairly that the whole system and maybe even its infrastructure is vulnerable and a National Government should take this more seriously.