Hacking 14Million+ Personal Records Walk through.

Publicated on : 1177954878
I decided to write a walk through of what I found today. It's a little risky but what the heck. The target is: DigID, digid.nl. This site maintains about 14 Million plus accounts. That is almost everyone in my country. Even I have an account there, because I must by law. Since I don't trust my government in their security pursuit I going to publish this. I only show you basic XSS examples and no SQL injection points due to possible legal threats. So I do not hack it because they will throw me in prison. :) Still I can show you the low hanging fruit and what our first step could be if we really wanted to target their servers.

So, DigID stores digital Id's online from everyone in my country. With the ID you can authenticate yourself for almost anything. Tax submission, Social security etcetera.

First I go check their IP range:

inetnum: 217.114.102.40 - 217.114.102.47
netname: DIGID-CMS
rev-srv: ns1.virtu.nl
rev-srv: ns2.virtu.nl

So, it seems it is hosted by virtu.nl
I visited virtu.nl and it seems they are some "leading" security hosting firm in my country. They are located in some old banking building with thick walls to protect their servers. That sounds really smart. Maybe they take security serious?

First let's use Google.
When I googled site:virtu.nl I got enough results to try out. A lot of entry pages with possible entry points for us. Among a few interesting ones:

http://www.virtu.nl/vedor/loader.php/-KCtz-/system/ariadne.html