ODINT
← Back to Cyber Tours

Minka GitLab Source Code

Ecuador Government GitLab (minka.gob.ec) — Source Code Analysis Report

Summary

OVERVIEW

minka.gob.ec is Ecuador's official government GitLab platform hosting e-government source code. It contains the source for critical national infrastructure including digital signatures (FirmaEC), document management (Quipux), the government web platform (GobEC), and the COVID-19 response app.

CRITICAL FINDINGS

1. FirmaEC — National Digital Signature Platform

Repos: firmadigital-api, firmadigital-servicio, firmadigital-libreria, firmadigital-tester, firmadigital_drupal

Finding Severity Location
Private keys sent to server (PKCS12 + Base64 password) CRITICAL firmadigital-api mobile endpoint
API key check bug: if (apiKey.equals(apiKey)) — always true HIGH ServicioJWT.java:70
NullPointerException: .toUpperCase() before null check MEDIUM ServicioJWT.java
hibernate.hbm2ddl.auto = update in production HIGH persistence.xml
SSL verification disabled everywhere HIGH CI/CD + all HTTP clients
Test API key pruebas hardcoded MEDIUM firmadigital-tester
JWT key auto-generated if missing MEDIUM ServicioTokenJwt.java

Architecture:

  • Backend: WildFly (JBoss) + PostgreSQL
  • JWT: HMAC-SHA512, key from standalone.xml system property jwt.key
  • JNDI: java:/FirmaDigitalDS
  • Tables: sistema, sistema_mobile, documento, crl, log
  • Custom protocol: firmaec://
  • Trusted CAs: ANF Global Root, Alpha Technologies

2. Oraculo Plugin — Government WordPress Theme

Repo: Quinaluisa/traduccion (Sitio-32 theme)

Finding Severity
Hardcoded AES password: SNAPsitio30v CRITICAL
Hardcoded AES salt: ALRTOPER984TNMGDGFDH CRITICAL
SQL injection in ajax_selects.php CRITICAL
SQL injection in procesarContacto.php (14 params) CRITICAL
SQL injection in categoryDownload.php CRITICAL
SugarCRM SOAP credentials: contactoweb / _3S(*i6n CRITICAL
File upload without MIME validation HIGH
raw.php unauthenticated data extraction HIGH
test.php with unserialize() HIGH
Deprecated mcrypt_* functions MEDIUM
No CSRF protection on forms MEDIUM
Mail header injection in contact form MEDIUM

3. DIGERCIC/Civil Registry Integration

Repo: coronavirus-drupal (SettingsForm.php)

  • SOAP web service connects to Civil Registry (DIGERCIC) for citizen lookups by cédula
  • Credentials stored as #type => 'textfield' (plaintext, not password field) in Drupal admin
  • Fields: CodigoInstitucion, CodigoAgencia, Usuario, Contrasenia
  • Method: BusquedaPorNui (lookup by national ID)
  • WS-Security with digest authentication

E-GOVERNMENT PROJECT CATALOG (30 Repos)

Digital Signatures (FirmaEC)

Repo Description Created
firmadigital-servicio Backend service (WildFly REST API) 2017-04
firmadigital-api Standalone signing application 2017-04
firmadigital-libreria Core crypto library (Java) 2019-08
firmadigital-tester Integration test harness (PHP) 2019-05
firmadigital_drupal Drupal 8 module for signing 2018-09

Document Management (Quipux)

Repo Description Created
quipux-app Core document management system 2017-12
quipux-servicios Web services layer 2018-07
quipux-datos Database versioning (SQL scripts) 2018-07
quipuxcomunitario Community edition 2025-09
quipuxec-docs Documentation 2021-02

Government Platform (GobEC)

Repo Description Created
gobec Drupal module for tramites/instituciones 2018-05
gobec_platform Platform installer 2018-05
gobec_forms Form digitization module 2019-05
gobec_vaccination COVID vaccination registration 2021-03
gobec_feedback Citizen feedback module 2019-05
gobec_search PostgreSQL search (SQL scripts) 2019-02
gobec_frm_location Province/Canton/Parish form elements 2021-03
gobec_planning Economic planning module 2020-01

COVID-19 Response

Repo Description Created
coronavirus_app Mobile application 2020-03
coronavirus_drupal Drupal services module (DIGERCIC integration) 2020-03

Other

Repo Description Created
si-rgosp Postal Service registration system 2025-08
consul Consul civic participation (Ecuador fork) 2019-11
servicesbsg BuzonEC BSG services 2022-09
cti-app IT procurement system 2017-10
inventario Public software inventory (Odoo module) 2018-07
moodle-theme E-learning platform theme 2019-10
estandares E-government standards documentation 2018-04

NOTABLE GROUPS (70 Public)

Group ID Path Significance
25832 mintel/ge/csirt-aplicativo National CSIRT application (cybersecurity incident response)
5046 sercop/firmaec SERCOP (procurement) FirmaEC fork
29671 primeservices/firmaEc Third-party FirmaEC implementation
28453 primecore/FirmeECLib Another FirmaEC library fork
4759 asi-ecuador ASI Ecuador application
5003 epmapasc Municipal water utility software
6036 datil Dátil invoicing services (private company)
8126 alpha-techonologies Alpha Technologies (FirmaEC certificate authority)
8307 firmasegura Secure signature project
5038 retoFirmaEC FirmaEC challenge/hackathon

DEVELOPER PII

Name Email Role
Misael Fernandez [email protected] FirmaEC API lead developer
Pablo Veintimilla [email protected] Project lead
Oscar Acero [email protected] / [email protected] Development specialist
Jorge Pazmino [email protected] Development specialist
Ricardo Arguello FirmaEC core architect (crypto library)

EMPTY/RESTRICTED REPOS

5 GobEC core repos returned empty content (possibly access-restricted despite public visibility):

  • gobec-core
  • gobec-forms (group level)
  • gobec-platform (group level)
  • gobec-search (group level)
  • gobec-theme

Data cloned 2026-03-04 from publicly accessible GitLab repositories. No authentication was used.

© 2026 Observatory for Digital Infrastructure and Network Transparency. Independent nonprofit.

Home | Privacy | Terms