Back to Cyber Tours

SHE for the Soldiers, None for the Secrets

Argentina's armed forces social insurance institute committed military personnel credentials to public git repositories. A prison visits system was deployed with a placeholder JWT secret the developer never changed. The Ministry of Economy's national gas subsidies API runs on default postgres credentials. Ninety-one domains. No login required.

By ODINT Investigation Team - 2026-06-13

Views: ...

2 CRITICAL ARGENTINA ARMED FORCES OSINT Investigation

Campaign Statistics

A targeted sweep of Argentina's government digital surface — public git repositories associated with .gob.ar and .mil.ar domains — produced the following results. All data was retrieved from repositories that required no authentication to clone or browse.

~2.5 GBEvidence Collected
91Domains Enumerated
2CRITICAL Findings
3HIGH Findings
2Military Personnel DBs Exposed
1Placeholder JWT in Production
1National Energy System Exposed
6Active Credential Sets
Full Technical Breakdown Database credentials, JWT secrets, API keys, default credential analysis, and remediation steps organized by target.
View Report

The Comment That Wasn't Changed

Every framework ships with a .env.example file. Its purpose is to show developers what variables the application needs — with placeholder values, not real ones. For the JWT secret, the convention is usually to write: CHANGE_ME, or YOUR_SECRET_HERE, or GENERATE_A_RANDOM_VALUE. DSISPER's prison visits system used: CAMBIAR_POR_UNA_CLAVE_ALEATORIA_LARGA_Y_SEGURA — a Spanish instruction meaning "CHANGE TO A LONG SECURE RANDOM KEY."

The developer copied the .env.example to .env. They did not change the JWT secret. They committed it. They deployed it. The system is in production. The JWT_SECRET is the comment from the example file. Anyone who can read a public git repository can now forge a valid authentication token for Argentina's federal prison visits tracking system.

The secret was the instructions on how to make a secret. They committed the instructions.

This finding — a JWT secret left as a documentation placeholder — represents a complete authentication bypass. JWT tokens are signed with this secret. Knowing the secret means being able to sign any token, for any user ID, with any role claims. The door is unlocked because the key is the word "lock."

Critical Findings

IOSFA — Armed Forces Social Insurance Admin Credentials CRITICAL
Domains: calificaciones.iosfa.gob.ar + visitas.iosfa.gob.ar System: Instituto de Obra Social de las Fuerzas Armadas (Army/Navy/Air Force)

Both repositories commit .env.production files using the same iosfa_admin credentials — one for the military personnel qualifications database and one for the armed forces medical appointments system. A JWT_SECRET_KEY is also committed in the calificaciones repository. One admin credential pair controls both military personnel rating and medical visit records for the entire Argentine armed forces.

## calificaciones.iosfa.gob.ar (.env.production) JWT_SECRET_KEY=[redacted] DB_USER=iosfa_admin DB_PASSWORD=[redacted] DB_NAME=iosfa_calificaciones_v1 ## visitas.iosfa.gob.ar (.env.production) DB_USER=iosfa_admin DB_PASSWORD=[redacted] # same credentials DB_NAME=iosfa_visitas
Technical Report
DSISPER Prison Visits — Placeholder JWT Secret in Production CRITICAL
Domain: svc.dsisper.gob.ar System: DSISPER Sistema de Visitas Penales — federal prison visits tracking

JWT_SECRET in production .env is the literal Spanish instruction from .env.example: "CAMBIAR_POR_UNA_CLAVE_ALEATORIA_LARGA_Y_SEGURA" (Change to a long secure random key). Database credentials for sistemaVisitasPenales also committed. APP_ENV=production confirms this is the live deployment.

DB_HOST=127.0.0.1 DB_NAME=sistemaVisitasPenales DB_USER=csalomon DB_PASS=[redacted] APP_ENV=production # JWT secret is the example file comment — never changed: JWT_SECRET=CAMBIAR_POR_UNA_CLAVE_ALEATORIA_LARGA_Y_SEGURA
Technical Report Cyber Tours

High Severity Findings

MECON Plan Gas — Default PostgreSQL Credentials on National Energy API HIGH
Domain: plangasvan.mecon.gob.ar System: Ministerio de Economia — Plan Gas national gas subsidies management API

The API backend for Argentina's Plan GAS.AR national natural gas subsidies program uses default PostgreSQL credentials (user=postgres, password=postgres) committed to a public repository. No-password MySQL root also present. The plangas database manages subsidy program data for Argentina's national gas production incentive scheme.

PGSQL_USER=postgres PGSQL_PASS=postgres # default credentials PGSQL_DB=plangas MYSQL_USER=root MYSQL_PASS= # empty password
IMPSR Rosario — Municipal Social Security Credentials HIGH
Domain: multiespaciotest.impsr.gob.ar System: Instituto Municipal de Prevision Social de Rosario

Laravel .env committed with database credentials for the Rosario Municipal Social Security Institute's multiespacio system. APP_KEY also committed. Staging domain names a test environment but uses a dedicated database user with a non-trivial password.

Mendoza Judiciary — OpenAI API Key HIGH
Domain: sistemaswp.jusmendoza.gob.ar System: Mendoza Province Judiciary systems (CodeIgniter)

Production OpenAI API key committed to the Mendoza province judiciary systems repository (CI_ENVIRONMENT=production). Represents ongoing unauthorized billing and usage risk until the key is revoked.

Targets Audited

calificaciones.iosfa.gob.ar
IOSFA — Armed Forces personnel qualifications database
Size: 4 KB Status: CRITICAL — iosfa_admin credentials + JWT secret
visitas.iosfa.gob.ar
IOSFA — Armed Forces medical appointments system
Size: 8 KB Status: CRITICAL — same iosfa_admin credentials
svc.dsisper.gob.ar
DSISPER — Federal prison visits tracking system
Size: ~5 MB Status: CRITICAL — placeholder JWT in production + DB credentials
plangasvan.mecon.gob.ar
Ministerio de Economia — Plan Gas national subsidies API
Size: ~15 MB Status: HIGH — default PostgreSQL credentials (postgres/postgres)
she.ejercito.mil.ar
Argentine Army — Sistema de Haberes del Ejercito (Army Pay System)
Size: 191 MB Status: INFO — frontend source exposed, .htaccess.swp committed
sistemaswp.jusmendoza.gob.ar
Mendoza Province Judiciary — systems platform
Size: ~8 MB Status: HIGH — OpenAI production API key committed

Evidence Archive

IOSFA-CALIFICACIONES
Armed Forces qualifications DB — admin credentials + JWT secret key
Download
IOSFA-VISITAS
Armed Forces visits system — same admin credentials, two environments
Download
DSISPER-VISITAS-PENALES
Prison visits tracking — placeholder JWT secret + DB credentials
Download
MECON-PLANGAS
Plan Gas national energy API — default PostgreSQL credentials
Download
CREDENTIALS-MASTER.md
Complete credential inventory with remediation guidance for all 91 domains
Download

Methodology and Scope

All data in this report was collected through passive open-source intelligence (OSINT) methods. No credentials were used to authenticate to any system. No databases were accessed, read, or modified. No systems were exploited or disrupted. All git repositories were publicly accessible without authentication at the time of collection (2026-04-02).

Findings were collected, analyzed, and held pending disclosure review before publication. No raw credential values appear in this public-facing report. Full credential details are available in the CREDENTIALS-MASTER.md archive for verified researchers, journalists, and affected parties.

Collection: 2026-04-02 | Publication: 2026-06-13 | Country: Argentina | Domains: 91 | Critical: 2 | High: 3