Total Data: 26.25 GB, 27,272 files across 55+ government domains
PII Extracted: 691+ cédulas, 559+ phones, 93 IMEIs, 659 government emails, 4,296+ citizen names
CRITICAL FINDINGS
1. Exposed Credentials
| Credential |
Source |
Impact |
Oraculo AES key — Password: SNAPsitio30v, Salt: ALRTOPER984TNMGDGFDH |
minka.gob.ec GitLab |
Decrypt all inter-site communications for ALL gov WordPress sites |
SugarCRM SOAP — User: contactoweb, Pass: _3S(*i6n |
minka.gob.ec GitLab |
Access Contacto Ciudadano CRM (citizen PII: cédula, names, addresses) |
FirmaEC test API key — pruebas |
minka.gob.ec GitLab |
Potential access to digital signature test/preprod systems |
ARCOTEL meeting password — wUZNtk8uj53 |
WordPress post content |
Published publicly in meeting invite |
2. SQL Injection Vectors (Confirmed in Source)
| File |
Parameter |
Type |
ajax_selects.php |
$_POST['identificador'] |
Integer injection in WHERE clause |
procesarContacto.php |
$_POST['nombre'] + 13 other fields |
String injection in INSERT |
categoryDownload.php |
$_REQUEST['categoId'] |
Integer injection in WHERE clause |
Deployed on ALL government sites using Sitio-32 theme (Oraculo platform).
3. SRI Tax Authority — Full API Catalog Exposed
Ecuador's tax authority (18M citizens) exposes its entire Liferay JSONWS API catalog at /api/jsonws without authentication:
- 48+ service classes, hundreds of methods
- Document library (50+ methods), Export/Import, User management, Organization management
- Internal hostname leaked:
sriliferay03.sri.ad (from JSESSIONID cookie)
- Dynatrace APM monitoring active (
X-OneAgent-JS-Injection: true)
4. Massive PII Exposure via WordPress REST API
ARCOTEL (Telecom Regulator) — 5,000 comments:
- 364 cédula (national ID) numbers paired with full names
- 93 IMEI numbers paired with names (mobile device identifiers)
- 328 phone numbers from citizens
- 57 email addresses from citizens
- 2,336 unique citizen names
- 410 cédula-name pairs (deanonymization)
Inclusion.gob.ec (Social Inclusion Ministry) — 4,549 comments:
- 327 cédula numbers
- 328 phone numbers
- 54 email addresses
- 1,960 citizen names
- 355 cédula-name pairs
All publicly accessible via unauthenticated WordPress REST API.
5. FirmaEC Design Flaws (National Digital Signature Platform)
- Private keys sent to server: Mobile app uploads PKCS12 private key + Base64-encoded (NOT encrypted) password
- API key check bug:
if (apiKey.equals(apiKey)) — always true, dead check (ServicioJWT.java:70)
- NullPointerException: Null check on
apiKeySistema happens AFTER .toUpperCase() call
hibernate.hbm2ddl.auto = update in production — auto schema updates- JWT token forging possible if WildFly
standalone.xml obtained (contains jwt.key in Base64)
- SSL verification DISABLED in all code and CI/CD (
GIT_SSL_NO_VERIFY: "true")
6. tctelevision.com — Exposed .git Repository
TC Televisión (state-owned TV channel) exposes /.git/config:
- Bitbucket repo:
https://[email protected]/nicolaspalautc/tcwordpress.git
- Developer: Nicolás Palau (
[email protected])
- Dev server path:
/var/www/dev.tctelevision.com/ (confirmed in 20MB debug.log)
- Production path:
/var/www/www.tctelevision.com/
- Database:
tcwordpress
- DigitalOcean Spaces CDN:
tctelevision.nyc3.digitaloceanspaces.com
- Google Analytics:
G-H8J4GKFVFH
- Theme:
davenport with child theme
- Plugins: wp-optimize, Yoast SEO, health-check, Kirki, MediaCloud S3 offload
- wp-config.php~ backup exists in git tree (blob
d70f0cb97ae9ce77d6b6c544a4d619160c802920) — would contain full DB credentials
- debug.log: 20MB, 62,327 lines, Jun-Nov 2025, 29 server paths exposed
- Bitbucket repo is private (404), partial git dump recovered (3.7MB)
7. ECU911 Internal Network IPs Leaked
Internal IPs exposed in WP post/page content:
10.121.6.234 — internal media/streaming server (referenced 15+ times)10.121.7.112 — internal server192.168.1.232, 192.168.2.144 — local network devices
8. FAE (Air Force) SlimStat Analytics API Exposed
www.fae.mil.ec has SlimStat REST API exposed with endpoints that can return:
- Visitor IP addresses, usernames, emails
- Country, referer, browser, platform, search terms
- Outbound resource tracking
- Requires only a valid SlimStat token
USER ENUMERATION (75+ Government Accounts)
| Domain |
Users |
Notable |
| aduana.gob.ec |
8 |
oraculo (shared admin), Palantir user, cargonza, dizamora, garellano, gicordo, jcortez, mquiroga, rasanchez |
| arcotel.gob.ec |
4 |
oraculo, comunicacionredes, decs-davidarrollo-2021 |
| ecu911.gob.ec |
2 |
oraculo (same gravatar hash as aduana = same email), tecnologiaecu911 |
| seps.gob.ec |
3 |
admins3ps2021, simbiontec (contractor), inhuman_ec (contractor) |
| issfa.mil.ec |
4 |
issfa-editor-1-anita, gestion, issfa-editor-2-sebastian, webmasterft |
| bomberos.gob.ec |
1 |
admin_9hkvwa61 (randomized) |
| comunicacion.gob.ec |
3 |
administrador, comunicacion-digital, simon-feijoo |
| turismo.gob.ec |
11 |
Full names of 10+ staff |
| corteconstitucional.gob.ec |
5 |
diana-puentestar, luis-correa, maria-larrea, maria-jimenez, wilfredo-martel |
| registrocivil.gob.ec |
2 |
oraculo + comunicacion, WP 4.7.31 (ANCIENT!) |
| educacion.gob.ec |
2 |
WP 5.7.2 (outdated) |
| puce.edu.ec |
5 |
aeabril, bmsempertegui, jasanchez, kviera004, santiago |
| ucuenca.edu.ec |
7 |
daniel-urgiles, googlesheets (automation), jfrancisco, lourdes, marcelorodriguez |
| cpccs.gob.ec |
7 |
Belen Vasconez, Cesar Bermeo, Daysi Tufino, infraestructura, Mauro Pilatasig, Rebeca Llasag, Santiago Bolanos |
Oraculo Shared Admin Pattern
User ID 1 = "oraculo" on multiple sites (aduana, ecu911, arcotel, registrocivil). Same gravatar hash on aduana+ecu911 proves same email controls both. This is the Oraculo centralized CMS deployment platform.
OUTDATED/VULNERABLE SYSTEMS
| Domain |
Version |
Risk |
| registrocivil.gob.ec |
WP 4.7.31 |
Civil Registry on ancient WP — handles citizen IDs |
| educacion.gob.ec |
WP 5.7.2 |
Ministry of Education, outdated |
| iess.gob.ec |
WP 5.7 |
Social Security, outdated |
| cnel.gob.ec |
PHP 5.4.16 |
National electric company, 11-year EOL PHP |
| ecu911.gob.ec |
Exchange 2013 CU23 |
Emergency services, EOL email server |
| eppetroecuador.ec |
Exchange 2016 CU21 |
State oil company |
| biess.fin.ec |
IIS/7.5, ASP.NET 4.0 |
Social Security Bank, ancient IIS behind F5 WAF |
| igm.gob.ec |
Apache/2.4.37, Rocky Linux |
Military Geographic Institute, OpenSSL/1.1.1k |
| uta.edu.ec |
Apache/2.4.62, PHP/8.0.30 |
Technical University of Ambato |
SERVER FINGERPRINTING
| Target |
Server |
Stack |
WAF/CDN |
| contraloria.gob.ec |
IIS/10.0 |
ASP.NET, X-Powered-By: CGE |
Soft 404 (32KB page for all paths) |
| biess.fin.ec |
IIS/7.5 |
ASP.NET 4.0.30319 |
F5 BIG-IP WAF (cookie TS01f73070) |
| bce.fin.ec |
Reverse proxy |
Unknown |
F5 WAF, [email protected] |
| celec.gob.ec |
nginx/1.14.1 |
WordPress |
.git blocked (403) |
| cfn.fin.ec |
Apache |
PHP, LiteSpeed Cache |
WordPress |
| funcionjudicial.gob.ec |
Apache |
Unknown |
WordPress (401 on all WP API) |
| igm.gob.ec |
Apache/2.4.37 |
Rocky Linux, OpenSSL/1.1.1k |
— |
| cnt.gob.ec |
— |
Nuxt.js |
— |
| sri.gob.ec |
Liferay DXP |
Java |
Dynatrace APM |
| supercias.gob.ec |
— |
— |
HTTP 403 (all blocked) |
| superbancos.gob.ec |
— |
CAS SSO |
— |
GOVERNMENT GITLAB (minka.gob.ec)
Overview
- 70 public groups, 30+ e-government repos
- Source code for: FirmaEC (digital signatures), Quipux (document management), GobEC (gov platform), Coronavirus app, Oraculo plugin, Postal system, Consul (civic participation)
- 300 source files, 2.2 MB downloaded from 19 repos
- Key groups: MINTEL (408), Gobierno Electrónico (411), FirmaEC (417), CSIRT (25832)
- 5 GobEC core repos were empty (gobec-core, gobec-forms, gobec-platform, gobec-search, gobec-theme)
E-Government Projects (30 repos)
| Repo |
Description |
Created |
| firmadigital-servicio |
FirmaEC backend service |
2017-04 |
| firmadigital-api |
FirmaEC API (standalone app) |
2017-04 |
| firmadigital-libreria |
FirmaEC core crypto library |
2019-08 |
| firmadigital-tester |
FirmaEC integration test harness |
2019-05 |
| firmadigital_drupal |
FirmaEC Drupal8 integration |
2018-09 |
| quipux-app |
Quipux document management core |
2017-12 |
| quipux-servicios |
Quipux web services |
2018-07 |
| quipux-datos |
Quipux database versioning |
2018-07 |
| quipuxcomunitario |
Quipux community edition |
2025-09 |
| quipuxec-docs |
Quipux documentation |
2021-02 |
| gobec |
GobEC platform (tramites/instituciones) |
2018-05 |
| gobec_platform |
GobEC installer |
2018-05 |
| gobec_forms |
GobEC form digitization |
2019-05 |
| gobec_vaccination |
COVID vaccination module |
2021-03 |
| coronavirus_app |
COVID mobile app |
2020-03 |
| coronavirus_drupal |
COVID Drupal services module |
2020-03 |
| servicesbsg |
BuzonEC BSG services |
2022-09 |
| consul |
Consul civic participation (Ecuador fork) |
2019-11 |
| cti-app |
IT procurement system |
2017-10 |
| si-rgosp |
Postal Service registration system |
2025-08 |
| inventario |
Public software inventory (Odoo module) |
2018-07 |
| moodle-theme |
E-learning platform theme |
2019-10 |
| estandares |
E-government standards |
2018-04 |
Notable Groups (70 total)
| Group ID |
Path |
Description |
| 25832 |
mintel/ge/csirt-aplicativo |
National CSIRT application |
| 5046 |
sercop/firmaec |
SERCOP procurement FirmaEC fork |
| 29671 |
primeservices/firmaEc |
Third-party FirmaEC |
| 28453 |
primecore/FirmeECLib |
Another FirmaEC library |
| 4759 |
asi-ecuador |
ASI Ecuador application |
| 5003 |
epmapasc |
Municipal water utility |
| 6036 |
datil |
Dátil invoicing services |
| 8126 |
alpha-techonologies |
Alpha Technologies (FirmaEC CA) |
| 8307 |
firmasegura |
Secure signature project |
Key Source Code Findings
- FirmaEC private key handling: Mobile API accepts PKCS12 + Base64 password — server handles private keys
- BSG/DIGERCIC integration: COVID app accesses Civil Registry SOAP service for citizen lookups by national ID
- DIGERCIC credentials in plaintext: Drupal admin form stores BSG password as
textfield (not password field)
- FirmaEC JWT: HMAC-SHA512, key in WildFly
standalone.xml, auto-generated if missing, 100s timeout
- Database: PostgreSQL via JNDI
java:/FirmaDigitalDS, tables: sistema, sistema_mobile, documento, crl, log
- Server paths exposed:
/var/www/firmadigital-tester/transversal/tmp/
FIRMAEC (National Digital Signature Platform)
| Environment |
URL |
| Production |
api.firmadigital.gob.ec |
| Pre-production API |
impapi.firmadigital.gob.ec |
| Pre-production WS |
impws.firmadigital.gob.ec |
| Test/Dev |
testapi.firmadigital.gob.ec:8080 |
- Backend: WildFly + PostgreSQL
- JWT signing key in WildFly standalone.xml (
jwt.key property, Base64 HMAC-SHA512)
- SSL verification DISABLED in all code and CI/CD (
GIT_SSL_NO_VERIFY: "true")
- Custom protocol:
firmaec://
- SOAP WSDL:
http://impws.firmadigital.gob.ec/soap/firma_digital.wsdl
- Orfeo document management integration (WSDL exposed at
/services/firmaec/wsdl)
- Trusted CAs: ANF Global Root, Alpha Technologies (2016-2036)
- MINTEL developers: Misael Fernandez, Pablo Veintimilla, Oscar Acero, Jorge Pazmino, Ricardo Arguello
MILITARY FINDINGS
| Target |
Finding |
| issfa.mil.ec |
4 staff accounts, emails: [email protected], [email protected] |
| fae.mil.ec |
4,952 media, 393 API routes, Code Snippets plugin (PHP exec), Jetpack sync, INTELIGENCIA dept, SlimStat analytics API |
| ccffaa.mil.ec |
[email protected] — Armed Forces IMEI control office |
| ecu911.gob.ec |
Exchange 2013, hostname ECU911NMAIL02, internal IPs: 10.121.6.234, 10.121.7.112 |
| eppetroecuador.ec |
Exchange 2016, hostname SPQ-DOMEXCHBRP1 |
| igm.gob.ec |
Military Geographic Institute — Apache/2.4.37 Rocky Linux, alive but no WP |
Military Domain Probe Results (21 .mil.ec domains)
All .mil.ec domains (armada, ejercito, fuerzaaerea, fuerzanaval, fuerzaterrestre, comando, comaco, sstg, marina, espe, esmil, essuna) — UNREACHABLE from external network. Military infrastructure is well-segmented.
Sensitive Government Domain Probe (19 domains)
- supercias.gob.ec: HTTP 403 (alive but fully blocked)
- cnelep.gob.ec: All paths return same 354KB page (soft 404 with WAF)
- cnt.gob.ec: Nuxt.js app, no WP, locked down
- igm.gob.ec: Apache/Rocky Linux, no WP, locked down
- All others (contraloria, funcionjudicial, defensoriadelpueblo, procuraduria, bce, biess, cfn, compras, ant, planificacion, celec, petroecuador, correos, datosabiertos, gobiernoabierto, midena, isspol, csirt, snai, policiaecuador, ministeriointerior, inteligencia) — UNREACHABLE without www prefix
EXCHANGE/MAIL SERVERS
| Domain |
Version |
Internal Hostname |
Auth |
| ecu911.gob.ec |
Exchange 2013 CU23 (15.0.1497.48) |
ECU911NMAIL02 |
Kerberos on PowerShell |
| eppetroecuador.ec |
Exchange 2016 CU21 (15.1.2507.6) |
SPQ-DOMEXCHBRP1 |
NTLM on autodiscover |
| arcotel.gob.ec |
Zimbra |
— |
nginx frontend, SOAP active |
WORDPRESS DATA TOTALS
| Domain |
Posts |
Media |
Comments |
Sector |
| aduana.gob.ec |
2,000+ |
23,629 |
— |
Customs |
| arcotel.gob.ec |
3,000+ |
— |
5,000 |
Telecom Regulator |
| ecu911.gob.ec |
3,006 |
— |
— |
Emergency Services |
| agricultura.gob.ec |
14,205 |
15,221 |
— |
Agriculture |
| inclusion.gob.ec |
22,525 |
15,313 |
4,549 |
Social Inclusion |
| salud.gob.ec |
7,707 |
32,114 |
— |
Health |
| cpccs.gob.ec |
7,495 |
32,485 |
— |
Citizens Participation |
| deporte.gob.ec |
7,835 |
10,007 |
25 |
Sports |
| obraspublicas.gob.ec |
6,790 |
8,621 |
— |
Public Works |
| telecomunicaciones.gob.ec |
2,836 |
15,143 |
9 |
Telecom/MINTEL |
| ambiente.gob.ec |
1,340 |
13,363 |
— |
Environment |
| celec.gob.ec |
1,694 |
3,185 |
— |
State Electric |
| cfn.fin.ec |
304 |
4,207 |
— |
National Finance |
| bce.fin.ec |
498 |
1,252 |
— |
Central Bank |
| fae.mil.ec |
— |
4,952 |
— |
Air Force |
| finanzas.gob.ec |
792 |
1,868 |
— |
Finance |
| trabajo.gob.ec |
838 |
5,120 |
— |
Labor |
| turismo.gob.ec |
2,000+ |
— |
— |
Tourism |
| uta.edu.ec |
281 |
1,302 |
— |
University |
Estimated totals: 75,000+ posts, 190,000+ media items, 9,500+ comments across 25+ sites
DATA INVENTORY
Total: 27,272 files, 26.25 GB
| Directory |
Files |
Size |
Contents |
| RAW/ |
27,247 |
26.88 GB |
All downloaded data |
| EXTRACTED-PII/ |
13 |
0.2 MB |
Structured PII extractions |
WordPress API Data
- Posts, pages, media, comments, categories, tags from 30+ sites
- 269 pages of salud.gob.ec data (posts + media fully paginated)
- 5,000 ARCOTEL comments with citizen PII (extracted)
- 4,549 inclusion.gob.ec comments with citizen PII (extracted)
- 3,006 ECU911 posts with emergency service details
Documents
- 1,518 files, 1.7 GB from ARCOTEL and ECU911
- ARCOTEL telecom statistics: radio bases, subscriber counts, number porting, cable submarine clients
- ECU911 procurement, budget, and certification documents
- Sitemaps from 10 sites
- API root JSON from 30+ sites
Source Code
- 11 Oraculo PHP files (SQL injection, hardcoded creds, mail injection)
- 300 files from 19 minka.gob.ec repos (FirmaEC, GobEC, Quipux, Coronavirus, etc.)
- SRI JSONWS catalog (393 KB)
- tctelevision.com partial .git dump (3.7 MB) + 20MB debug.log (62K lines)
Extracted PII (DUMP/EXTRACTED-PII/)
| File |
Count |
Source |
arcotel-cedulas.txt |
364 |
National ID numbers |
arcotel-imeis.txt |
93 |
Mobile device identifiers |
arcotel-phones.txt |
328 |
Phone numbers |
arcotel-emails.txt |
57 |
Citizen emails |
arcotel-names.txt |
2,336 |
Citizen names |
arcotel-cedula-name-pairs.csv |
410 |
ID-name deanonymization pairs |
inclusion-cedulas.txt |
327 |
National ID numbers |
inclusion-phones.txt |
328 |
Phone numbers |
inclusion-emails.txt |
54 |
Citizen emails |
inclusion-names.txt |
1,960 |
Citizen names |
inclusion-cedula-name-pairs.csv |
355 |
ID-name deanonymization pairs |
government-emails.csv |
231 |
Government employee emails (original) |
government-emails-expanded.csv |
659 |
Government employee emails (expanded) |
CREDENTIAL/EMAIL HARVEST
Government Employee Emails (659 unique across 78 domains)
Top domains by email count:
| Domain |
Count |
Sector |
| msp.gob.ec |
142 |
Ministry of Health |
| espoch.edu.ec |
133 |
ESPOCH University |
| iess.gob.ec |
67 |
Social Security |
| arcotel.gob.ec |
66 |
Telecom Regulator |
| uta.edu.ec |
38 |
Technical University |
| cpccs.gob.ec |
25 |
Citizens Participation |
| mspsalud.gob.ec |
15 |
Health (alt domain) |
| presidencia.gob.ec |
12 |
Presidency |
| celec.gob.ec |
9 |
State Electric |
| cfn.fin.ec |
19 |
National Finance |
| bce.ec |
27 |
Central Bank |
| ecu911.gob.ec |
8 |
Emergency Services |
| aduana.gob.ec |
8 |
Customs |
| energiayminas.gob.ec |
7 |
Energy/Mining |
| issfa.mil.ec |
7 |
Military Social Security |
| seps.gob.ec |
7 |
Financial Superintendency |
| senatel.gob.ec |
6 |
Former Telecom Regulator |
| inclusion.gob.ec |
5 |
Social Inclusion |
| bomberos.gob.ec |
5 |
Fire Service |
| mag.gob.ec |
5 |
Agriculture |
Notable Email Addresses
MINTEL Developer PII
tctelevision Developer
| Name |
Email |
Role |
| Nicolás Palau |
[email protected] |
WordPress developer, Bitbucket: NicolaspalauTC |
WORDFENCE/SECURITY PLUGIN DEPLOYMENT MAP
| Plugin |
Sites |
| Wordfence |
BCE, CELEC, Agricultura, Deporte, ESPOCH, Finanzas, Inclusion, Obras Publicas, Salud, Telecom, Trabajo, UTA |
| Elementor |
BCE, CELEC, CPCCS, ESPOCH, Trabajo, UTA |
| Google Site Kit |
Agricultura, Deporte, Inclusion, Obras Publicas, Salud, Telecom, Trabajo |
| Redirection |
BCE, CPCCS, UTA |
| Application Passwords |
CFN, CPCCS (endpoint: /wp-admin/authorize-application.php) |
| LiteSpeed Cache |
CFN, ESPOCH |
| Forminator |
Obras Publicas |
| WP Statistics |
ESPOCH, UTA |
| SlimStat |
FAE (military) |
| Code Snippets |
FAE (PHP execution capability) |
| Jetpack |
FAE (sync enabled) |