Blogger proves flaws in Ecuadoran security system by hacking president's identity

Paul Moreno, an Ecuadoran blogger, discovered a flaw in the country's national online identity database, which he demonstrated by hijacking the identity of President Rafael Correa. He was briefly arrested, but was released after a vociferous Twitter campaign that prompted action from the president, who personally ordered Moreno's release. Moreno triumphantly announced his victory on Twitter.

Citing a Wired story on password security, Moreno set out on Nov. 26 to demonstrate a security flaw in DatoSeguro with an attention-getting proof of concept scheme: accessing President Correa’s account. He began by doxing the president, and once equipped with Correa’s date of birth and a national identification number — obtained via online searches — he had two of the three pieces of information he needed. The third was a set of two numbers from an identity card, which he simply guessed. With that, he had access to Correa’s account. “Out of curiosity, I noticed one time that the fingertip digits in the IDS are all very similar,” he wrote on his blog. “There’s a V or an E or an A followed by various numbers: V23444 – E5444 and so on…combinations that are very simplistic, apparently. The system asked me for the third and fourth numbers of the fingertip digits. With the first combination, I got the numbers right and my account was created. After verifying the email the system sends, I had access to all Rafael Vicente Correa Delgado’s so-called secure data. It took me about half an hour, maybe less.”

Blogger Jailed After Password-Hacking Ecuador’s President [Wired/Mat Honan]


  1. “The third was a set of two numbers from an identity card, which he simply guessed.”

    ??? Unless he was happy with a 1% chance of success, there’s more to this part. 

  2. I would like some more information on the numbers that he “simply guessed”.  There must be more of a pattern than is mentioned in the wired article.  The number combination he guessed is: 

    V23444 – E5444

    Even understanding that the first character will be only A, E, or V, that still leaves 9 base-10 digits of entropy in addition to those two 3-character slots. 
    If my understanding is correct, the number of permutations could be calculated with 3*10*10*10*10*10*3*10*10*10*10 =  9,000,000,000  (because 3 letters and 10 digits are possible in each position)

    An online attack should be pretty infeasible with that many guesses.  At 10 guesses per second, it would take an average of about 14 years.

    Sounds like there are some details that aren’t available about this vulnerability yet.

  3. “prompted action from the president, who personally ordered Moreno’s release”
    Guess what would’ve happened if he tried this in the “Land of the free” instead of some third-world south-american backwater country…

Comments are closed.