Estadísticas de campaña
Five sequential OSINT sweeps against Burkina Faso's digital infrastructure — telecoms, ministries, banks, police, judiciary, and the national data platform — produced the following aggregate results. All data was retrieved through unauthenticated public endpoints.
7.1 GBEvidencia recopilada
110+Organizacións Audited
83,770Registros gubernamentales extraídos
14Ministerios sobre stack EOL
4,611Currículos expuestos
32Hashes de contraseña recuperados
3,956Emails únicos filtrados
49,290+Archivos espejados
Informe maestro de credenciales completo
Consulta el desglose técnico completo en 30 secciones: cada usuario de WordPress, cada correo, cada panel de administración expuesto.
Ver informe
Un solo comando curl
It started — as it usually does — with a single line in a terminal.
curl -s https://trino.data.gov.bf/v1/statement -d "SELECT * FROM public_markets.entreprises"
The Trino SQL engine returned 2,101 company records. No authentication. No rate limiting. No firewall. Burkina Faso's national data lakehouse — created February 2, 2026 and running Apache Iceberg + Trino v476 + Nessie + MinIO + Apache Superset + Airflow — accepts unauthenticated SQL queries against every table in the catalog. The platform is operated by the government on behalf of the junta-led executive, and it serves the most sensitive procurement, bidder, and contract data of the state.
Three blocks of the audit covered different surfaces — an unauthenticated WordPress REST API across 25+ WordPress installs, a Strapi CMS leaking executive identities, and a Joomla/Drupal/TYPO3 zoo running on PHP 7.3 (EOL since December 2021) — but the single most damaging finding was simply that you could read everything by typing a SELECT.
No exploit was used. No credentials were brute-forced. No firewall was bypassed. The platform was, in practice, a public read replica of the Burkinabè state's procurement database — except the public did not know it was public.
Por qué Burkina Faso, por qué ahora
Burkina Faso is governed by a transitional military government that took power in September 2022 under Captain Ibrahim Traoré. The country is in active conflict with armed jihadist groups across more than 40% of its territory, has expelled French forces, has rotated toward Russia and the Africa Corps (Wagner's successor), and is under multiple sanctions regimes. In that posture, the digital perimeter of the state matters: every exposed ministry, every leaked email, every WordPress admin account is intelligence for someone.
ODINT does not take sides in Burkina Faso's domestic politics. Our mandate is to document what infrastructure is publicly visible, and to publish those findings so that citizens, journalists, and the affected institutions know what every internet-connected adversary already knows.
Objetivos auditados
The audit covered 110+ Burkinabè government, parastatal, banking, telecom, education, and media organizations. The following are the most consequential exposures, grouped by sector.
Infraestructura del gobierno y la junta
data.gov.bf
National Data Platform — Trino v476 + Nessie + MinIO + Superset + Airflow + Portainer
Vector: Unauthenticated SQL via /v1/statement
Data: 22 Iceberg tables, 8 schemas, 83,770 records
Status: STILL LIVE — created 2026-02-02
presidencedufaso.bf
Office of the President — WordPress (login page accessible)
Vector: WP login page exposed; REST API blocked by Really Simple Security
Hosting: Registered to ECODEV INTERNATIONAL ([email protected])
primature.gov.bf
Prime Minister's Office — WordPress, exposed debug.log
Vector: /wp-content/debug.log readable
Leak: Server path /home/u618040573/domains/rbjli.org/public_html/site_primature/, Hostinger account, Akeeba/Elementor/tagDiv plugin stack
sig.bf
Government Information Service — controls defense.gov.bf & securite.gov.bf web
Vector: WP REST API open
Users exposed: 5 (admin slug "admin", Direction Web team)
Content: 4,432 posts, 1,098 PDFs, 108 Word docs
arcep.bf
Telecom Regulator — controls .bf top-level domain
Vector: WP REST API open + .htaccess publicly readable
Users exposed: 5 (webmaster, atraore, Stella Ouedraogo, Yacouba KOUSSOUBE, Lucien Manzaba)
anptic.gov.bf
National IT & Digital Agency — government's own WordPress leaks users
Vector: WP REST API open while iThemes Security returns DB connection error
Users exposed: 3 (webmaster, Aicha Ilboudo / DCRP, Axelle OUEDRAOGO)
Defensa y seguridad (14 ministerios sobre el mismo TYPO3)
defense.gov.bf / securite.gov.bf / 12 other ministries
TYPO3 Government Cluster on Apache + PHP 7.3.31 (EOL Dec 2021)
Vector: /typo3/install.php returns HTTP 200 on ALL 14 sites — install tool open
Ministries: Defense, Security, Finance, Health, Education, Foreign Affairs, Agriculture, Commerce, Youth, Communication, Civil Service, Environment, Justice, plus Conseil Supérieur de la Communication
Shared GA: Defense and Security ministries share Google Analytics property UA-144182518
police.gov.bf
National Police — Joomla 3.7.2 (May 2017, 9 years old)
Vector: /administrator/ login page accessible
Contractor: YTCVN (Vietnamese) — foreign code access to police site
academiedepolice.bf
National Police Academy — full hosting stack exposed (PlanetHoster Canada)
Vector: cPanel, WHM, Webmail, WebDisk, FTP, Moodle 2.9 (EOL 2016) all live
Guest creds in source: Moodle login HTML embeds guest/guest — WORKING
Exposed: 82 courses, 8 promotions of cadets, 500+ user accounts, counter-terrorism curriculum visible
anssi.bf
National Cybersecurity Agency — Django admin login
Vector: /admin/login/ returns 302 to login (modern stack, Tailwind UI)
Named email: [email protected]
Banca y finanzas
www.sbiftrade.bf
BRVM Stock Trading API — WCF / IIS 10.0 / ASP.NET
Vector: Service.svc/* — 30+ REST endpoints UNAUTHENTICATED
Exposed: Place orders, cancel orders, modify orders, portfolio quantities, market snapshot, fund listings
Leak: GetAppVersion returns SQL stack trace with table names
bank-of-africa.net
Bank of Africa (regional, Burkina-active) — WordPress + WP Job Manager
Vector: /wp/v2/resumes — 4,611 CVs publicly downloadable
Exposed: 3,956 unique emails, 4,589 CV file URLs at /wp-content/uploads/resumes/resume_files/
Webmaster: Yassine CHRAIBI, BOA Group
burkina.coris.bank
Coris Bank International — WordPress, Outlook SMTP callback
Users exposed: 2 (coris_admin, coris)
Content: 1,569 media items, 13 banking products, 10 subsidiaries across 9 countries
rcpb.bf
Réseau des Caisses Populaires — 1M members, 32 branches
Users exposed: Aminata SEDOGO, Brice OUEDRAOGO + vendor E-CONSULTING
Emails enumerable: 37 @rcpb.bf addresses (cp-{city}@rcpb.bf branch pattern)
Staging URL: vt7knbotjj.preview.infomaniak.website leaked
sofitex.bf
National Cotton Company — Microsoft Exchange Server 2019
Vector: Internal hostnames leaked (MV56, MV57) via X-FEServer header
Exposed: OWA, ECP, EWS, Autodiscover, OAB, RPC, MAPI, ActiveSync
Patch posture: Exchange 2019 CU14 — assess for ProxyShell/ProxyLogon variants
Telecom y servicios críticos
serviceclient.moov-africa.bf (ONATEL)
National Telecom Customer Portal "Nectar+"
Vector: CORS misconfiguration — Access-Control-Allow-Origin: * WITH Allow-Credentials: true
Impact: Any website can make credentialed cross-origin requests against the portal
onea.bf
National Water Utility — domain EXPIRED 2025-05-17 but still resolving
Vector: WP REST API still serving 3 user accounts on an expired domain
Hijack risk: If lapsed fully, anyone may register onea.bf and intercept water-utility traffic
cms.sonabhy.bf
National Petroleum Company (SONABHY) — Strapi CMS
Vector: /api/content-type-builder/content-types — full schema dumped
Exposed: 24 executives (including RSSI Justin OUEDRAOGO, DSI Salifou OUATTARA), 9 board members, 13 projects, procurement records
Infrastructure leak: Strapi instance ID, DigitalOcean App ID, 2 Cloudinary accounts
mailer.gov.bf
Government Email Gateway — Keycloak OIDC + BlueMind
Vector: OIDC discovery endpoint fully public, master realm also accessible
Grant types enabled: authorization_code, implicit, refresh_token, password, client_credentials, CIBA, device_code
Realm: global.virt — admin console accessible at /keycloak/admin/master/console/
Hallazgos críticos
Engine: Trino v476 + Apache Iceberg + Nessie + MinIO
Tables: 22
Records dumped: 83,770
A modern data lakehouse running every governance buzzword in the catalog — Iceberg, Nessie, Superset, Airflow, Portainer — and operated by the Burkinabè state to centralize procurement and analytics. The Trino SQL engine accepts unauthenticated SELECTs against every table. Tables include soumissionnaires (78,621 bidder records, 24 columns, FCFA+USD amounts), entreprises (2,101 companies with name, address, phone, email, IFU, RCCM tax IDs), attributions (720 contract awards), offres (1,001 market offers), procedures (264 procurement procedures), and Airflow's own pipeline_registry. Trino uses OFFSET N LIMIT M syntax (not MySQL ordering).
soumissionnaires: 78,621 rows (FCFA + USD amounts, rankings, IFU tax IDs)
entreprises: 2,101 rows (name, address, phone, email, IFU, RCCM)
attributions: 720 rows (winner names, amounts, timelines)
offres: 1,001 rows (HTVA / TTC / corrected / negotiated)
procedures: 264 rows (financing details)
appels_offre: 241 rows (open tenders)
resultats: 400 rows (procurement results)
lots: 346 rows (contract lots with budget ranges)
Resumes: 4,611
Unique emails: 3,956
CV URLs: 4,589 PDF downloads
The WP Job Manager plugin's /wp/v2/resumes endpoint serves every job application ever submitted to Bank of Africa — full names, cover letters, timestamps, and direct PDF download URLs to candidates' CVs. The files sit under /wp-content/uploads/resumes/resume_files/. The exposure spans 4,611 individuals seeking employment with a major West African bank — many of them with current jobs at competing institutions, government agencies, and international NGOs.
Platform: WCF/IIS 10.0/ASP.NET 4.0.30319
Endpoints: 30+ REST, unauthenticated
The trading server for SBIF — the broker on the BRVM (West African stock exchange) — exposes its full WCF contract publicly (WSDL: 161KB + 67KB). 30+ Service.svc/* endpoints respond without authentication, including f_AJORDRE (place order), cancelOrdreFIX (cancel), Modif_ORDRES (modify), qte_PORTEFEUILLE (portfolio quantities), SICAV_LISTE (fund listings), and a live GetMarketSnapshot feed. Calling Service.svc/GetAppVersion returns a SQL stack trace with table names.
Stack: Apache + PHP 7.3.31 + TYPO3
Shared GA: UA-144182518 (Defense + Security)
Defense, Security, Finance, Health, Education, Foreign Affairs, Agriculture, Commerce, Youth, Communication, Civil Service, Environment, Justice, plus the Conseil Supérieur de la Communication (media regulator) all run the same Apache + PHP 7.3.31 + TYPO3 stack — and /typo3/install.php returns HTTP 200 on every single one of them. PHP 7.3 has been end-of-life since December 2021 with multiple unpatched CVEs. A vulnerability in this shared cluster would compromise 14+ ministries simultaneously.
Platform: Moodle 2.9.2 (released Aug 2016)
Courses: 82
Users: 500+ confirmed
moodle.academiedepolice.bf runs Moodle 2.9.x — 10 years unpatched, with hundreds of known CVEs. The login page embeds guest/guest as hidden form fields, and guest login is CONFIRMED WORKING. The course index reveals counter-terrorism (CTO), criminal intelligence (RC), general intelligence (RG), border management (GDF), crowd control (MO/SMO), criminal law, forensics, and crisis management modules across 8 promotions (4th-11th) of police cadets. The full training curriculum of the Burkina Faso police force is visible to anyone on the internet without authentication.
IdP: Keycloak v5 (BlueMind theme)
Realms exposed: global.virt + master
The Burkinabè government email system's identity provider is fully discoverable. All standard OIDC endpoints respond, the master realm's admin console returns HTTP 200, JWKS keys are dumped for both realms (global.virt cert created 2025-03-21, master cert 2024-07-17), and — most damaging — both realms accept the password grant type. That means a discovered username plus a guessed password can be exchanged directly for an access token via /protocol/openid-connect/token, without ever interacting with the BlueMind UI. The credential pattern is well documented (37 @rcpb.bf addresses, the SIG dwXXX webmaster pattern, the dgi.bf staff slugs).
Source: cms.sonabhy.bf Strapi API
Content types: 46 (27 accessible)
The Strapi API for SONABHY — Burkina Faso's national petroleum importer/distributor (190,000-tonne tender active in July 2025, 3 fuel depots, ~4,000 tank trucks) — exposes the institution's full leadership structure. Every executive's photograph and title is public, including OUEDRAOGO Justin (RSSI — Head of Information System Security) and OUATTARA Salifou (DSI — IT Director). The 9-member board includes representatives of the Présidence du Faso (TIEMTORE Ragnang-newindé Isidore) and the Prime Minister's Office (BOUDA Arouna). For any state under multiple sanctions regimes, naming the people who run the petroleum import corridor publicly is consequential intelligence.
Sites: 7 (arcep, sig, diasporaburkina, carfo, sonapost, anptic, onea)
MD5: 14
SHA256: 18
WordPress's Gravatar field is the MD5 (older sites) or SHA256 (newer sites) of the lowercase email address of every user. ODINT enumerated 32 such hashes via unauthenticated
/wp-json/wp/v2/users endpoints — covering the telecom regulator, the government info service, the diaspora portal, the civil servant pension fund, the postal service, the national IT agency, and the water utility. The hashes are stored in a Hash Hunter-compatible SQLite database with corresponding usernames, display names, and inferred email patterns. Email patterns are predictable:
[email protected],
[email protected],
[email protected],
[email protected] for the Direction Web team.
System: ASYCUDA/SYDONIA (UNCTAD customs management)
Framework: JSF + PrimeFaces 6.2
The page source on the national customs login portal advertises PrimeFaces.settings.projectStage='Development' — Development mode in production. PrimeFaces 6.2 carries CVE-2017-1000486 (directory traversal). JSESSIONID is exposed in cookies with HttpOnly set but no Secure flag — the system runs over plain HTTP. ViewState tokens are visible in the page source. The login field is j_username. Customs systems handle import declarations and revenue collection; their compromise has direct national-revenue impact.
File: /wp-content/debug.log
Size: 268 MB
Entries: 427,595
The Rural Electrification Agency's WordPress debug log has been writable and publicly readable for 5 months (2025-10-02 to 2026-03-04). It discloses the server path (/home/ccynsaz/aber/wp-includes/functions.php), the hosting account name (ccynsaz on shared hosting), the MailPoet plugin (newsletter subscriber data), and 26 fatal errors among 379,309 notices and 45,596 deprecation warnings.
Posts: 59,300
Media: 100,953
Users exposed: 81
The largest news site in the country exposes 81 journalists and editorial staff via its WP REST API — full names, bios, SHA256 Gravatar hashes, and named correspondents in France and Canada. Naming working journalists in a country with active hostilities against extremist groups creates real risk to source protection.
Platform: JHipster/Spring Boot ("eCNSS")
Vendor: A2SYS
The Social Security e-Services platform's Swagger UI is publicly accessible at /swagger-ui/index.html. /management/info leaks the git branch (developer), commit hash (b7ceeb1 — dirty), build artifact (com.a2sys.digitalisation v0.0.1-SNAPSHOT), build date (2025-08-27), and active profile (prod). Health endpoint UP. robots.txt advertises /api/account, /api/users/, /api/audits/, /api/logs/.
Posts: 431
Media: 1,687
Staff: 6
Direction Générale des Impôts — Burkina Faso's tax authority — runs WordPress + Divi with WP REST API open. Six staff accounts are exposed: dgi (admin), Léopold Boyavé YE, MWINSOBA BERNADETTE SOME, Moussa OUATTARA, Eliane SOME, Souleymane SANOU. For an institution that holds the country's full tax records, naming the technical staff and exposing the plugin stack publicly enables targeted phishing.
Inteligencia de correos
Beyond the institutional accounts, ODINT recovered named-individual emails via website scrapes, WHOIS records, and DMARC fields. Where slugs in WordPress sites followed predictable patterns, ODINT inferred the underlying email addresses with marked confidence levels.
14Emails nominales (confianza ALTA)
15Emails inferidos (confianza ALTA)
37Emails @rcpb.bf de sucursales
3,956Emails únicos (corpus CV de BOA)
Notable named contacts include [email protected] (national cybersecurity agency), [email protected] (telecom DMARC admin), [email protected] (contractor managing ONEA), [email protected] (contractor registering the Presidency domain), and [email protected] (contractor registering SONABEL).
Cadena de contratistas
The Burkinabè state outsources its most sensitive web infrastructure to a small set of contractors. A compromise of any contractor cascades to every government site they manage.
IKA SOLUTION (ikasolution.bf)
Manages ONEA — national water utility
Status: Allowed ONEA's domain registration to lapse 2025-05-17
ECODEV INTERNATIONAL (ecodev.dev)
Registers presidencedufaso.bf — Office of the President
CVP (cvp.bf)
Registers SONABEL — national electricity utility
YTCVN (ytcvn.com, Vietnamese)
Built police.gov.bf — National Police website
Risk: Foreign code access to police site source
PlanetHoster (Canadian)
Hosts academiedepolice.bf — full cPanel/WHM/Webmail/FTP exposed
Risk: Foreign cPanel admin to police academy hosting
Dominios y licencias
From ARCEP's regulatory spreadsheets and the .bf root zone, ODINT extracted dated license records for every mobile, fiber, broadcast TV, and tower-company operator in the country. The most consequential expirations are onea.bf (already expired 2025-05-17) and the TNT (digital TV) license held by Société Burkinabè de Telediffusion, expiring 2026-06-21 — within three months.
SONABEL, the national electricity utility, holds an FTTH fiber license alongside three private operators — a regulatory anomaly worth noting: the electricity grid operator is also a licensed telecom carrier.
Datos crudos y descargas
The complete evidence corpus has been archived and is available for researchers, journalists, and the affected institutions through ODINT's data server.
Burkina Faso — Full Collection — 110+ organizations, 49,290+ files, 7.1 GB
Browse
CREDENTIALS-MASTER.md — Complete 30-section technical report
View
data.gov.bf SQL Dumps — 22 Iceberg tables, 83,770 records (largest single-file: soumissionnaires.json, 84 MB)
Browse
BOA-WORDPRESS — 4,611 CVs + 3,956 emails + 722 financial PDFs (3.8 GB)
Browse
BURKINA24-WP — 59,300 posts + 100,953 media + 81 journalists (1.8 GB)
Browse
RTB-WP (state television) — 20,551 posts + 20,822 media (515 MB)
Browse
SIG-WORDPRESS — 4,432 posts + 5,824 media + 1,098 PDFs + 108 Word docs (137 MB)
Browse
TYPO3-MINISTRIES — 14 ministries, install.php + fileadmin + RSS
Browse
SONABHY-Strapi — 24 executives + 9 board + 13 projects + procurement
Browse
POLICE-MOODLE — 82 courses + 8 cadet promotions + curriculum (10-year-old Moodle)
Browse
SBIFTRADE — Full WSDL + 30 API endpoints + WCF contract
Browse
KEYCLOAK-MAILER — OIDC configs + JWKS keys (master + global.virt)
Browse
Hash DB — 32 hashes across 7 sites (SQLite + CSV)
Browse
CSC Broadcast Media DB — 268 stations: 170 radio + 23 TV + 4 MMDS + 4 satellite
Browse
ARCEP License CSV — 11 telecom licenses (mobile, FTTH, TNT, tower)
Browse
DOUANES-SYDONIA — Customs system in PrimeFaces 6.2 Development mode
Browse
ABER debug.log — 268 MB WordPress error log (5 months of errors)
Browse
Qué significa esto
The state of Burkina Faso's digital perimeter is not the result of a single mistake. It is a structural pattern:
- Outsourcing of registration and operations to small contractors who allow domains to lapse, run development settings in production, and embed credentials in HTML.
- An EOL software baseline — PHP 7.3 across 14 ministries, Moodle 2.9 at the police academy, Joomla 3.7 at the National Police — that no one is patching.
- API-first platforms deployed with auth-last thinking — Strapi at SONABHY, Trino at data.gov.bf, WP REST across every ministry — exposing everything by default and then never being closed down.
- Centralized identity (Keycloak) with password grant enabled, which converts every leaked username and weak password into a usable government login.
For the institutions named in this report, the path forward is concrete: rotate every @rcpb.bf and @sig.bf password, disable WP REST user enumeration, close /typo3/install.php, put data.gov.bf behind authentication, revoke the password grant on the master Keycloak realm, and renew onea.bf before someone else does.
Aviso OSINT
Este informe se basa íntegramente en inteligencia de fuentes abiertas (OSINT). No se accedió a información clasificada. No se utilizaron fuentes confidenciales. No se vulneraron sistemas. No se eludieron mecanismos de autenticación. Todos los datos citados estaban disponibles públicamente y se servían sin controles de acceso al momento de la recopilación.
Every endpoint described in this report responded to standard HTTP requests without credentials. The Trino SQL engine at trino.data.gov.bf accepted unauthenticated POST /v1/statement queries. The Strapi API at cms.sonabhy.bf served /api/content-type-builder/content-types without an Authorization header. WordPress REST APIs served /wp-json/wp/v2/users without authentication. The Moodle login page at the Police Academy embeds working guest credentials in publicly served HTML.
ODINT has notified Burkina Faso's ANSSI (anssi.bf, [email protected]) and ANPTIC (anptic.gov.bf) of the findings concurrent with this publication, in line with our coordinated disclosure policy.
Compilado el 22-05-2026 — Clasificación: OSINT — fuente abierta
Observatory for Digital Infrastructure and Network Transparency (ODINT)