← Back to Cyber Tours

The Government With No Lock

A nationwide passive OSINT audit of Haiti's .gouv.ht infrastructure mapped 50+ government domains, 710 MB of evidence, a wide-open national tax application, 3,233 citizens' records, and a hijacked National Police domain. Nothing was forced. Nothing was locked.

By ODINT Investigation Team — 2026

Views: ...

.GOUV.HT HAITI 3,233 PII RECORDS OSINT Investigation

Campaign Statistics

A single passive reconnaissance sweep against Haiti's government web estate — ministries, financial oversight bodies, the security apparatus, and certificate-transparency-discovered subdomains — produced the following aggregate results. Every request was an unauthenticated HTTP GET. No credentials were used. No systems were breached.

710 MB Evidence Collected
50+ .gouv.ht Domains Probed
3,233 Customs Candidates' PII
6 Critical Exposures
227 Documents Parsed
1,365 Images EXIF-Scanned
194 Unauthenticated API Files
18 Gov Identities Exposed
Full Raw Evidence Archive Browse the complete Haiti OSINT collection — per-agency captures, recon reports, and the document/PII corpus — on ODINT's data server.
Browse Archive

It Started With a Directory Listing

There was no exploit. There was a URL. 

curl -s https://civitax.gouv.ht/

civitax.gouv.ht is Haiti's municipal tax administration application — the system that handles property census (Recensement) and tax billing (Bordereau) records for citizens. The server did not return a login wall. It returned a full directory listing of the entire application: source files, report pages, statistics modules, security-administration pages (Edit_User, GroupRights), and downloadable .rar archives of the Recensement and Bordereau modules.

The application runs Telerik UI v2013.3.1015.40 — a component stack vulnerable to CVE-2017-9248 (cryptographic weakness) and CVE-2019-18935 (unauthenticated remote code execution). The Telerik DialogHandler.aspx endpoint answered with 200 OK. The IIS trace.axd handler existed. What is supposed to be a controlled government tax system was, in practice, an open filing cabinet with the drawer already pulled out.

No authentication was required. No exploit was deployed. The directory index was public by configuration — or by negligence. From the citizen's point of view, the difference does not matter.

Targets Assessed

The investigation swept Haiti's government estate in layers: 13 ministry domains, 15 financial and oversight agencies, 9 military and security domains, 13 certificate-transparency subdomains never previously assessed, and 20 cPanel / autodiscover mail targets. The findings below are the ones that matter.

civitax.gouv.ht
National Municipal Tax Application — CRITICAL
Full directory listing of the entire tax application exposed. Telerik UI 2013 with CVE-2017-9248 and CVE-2019-18935 (unauthenticated RCE). Downloadable RAR archives of the Recensement (property census) and Bordereau (tax billing) modules. Security-admin pages reachable without authentication.
pnh.gouv.ht
Police Nationale d'Haiti — DOMAIN HIJACKED
The official National Police domain no longer serves the National Police. It serves a "Cash Rocket / smocup-cashads" scam platform. The TLS certificate is issued to cashads.smocup.site, not pnh.gouv.ht. A national law-enforcement domain has been quietly repurposed for fraud.
agdmail.douane.gouv.ht
Customs Authority (AGD) Mail — Microsoft Exchange 2016 EXPOSED
A fully exposed Microsoft Exchange 2016 server (build 15.1.2507.61, IIS/10.0) fronting Haiti Customs email. Autodiscover reachable. Of all probed domains, only Customs publishes a DMARC reject policy — the rest enforce nothing.
mde.gouv.ht
Ministry of Environment — CRITICAL (abandonware)
Running Joomla 3.8.7 — released April 2018 and unpatched for roughly eight years — behind nginx/1.26.3. An unmaintained CMS this old on a live ministry is a standing invitation.
md.gouv.ht
Ministry — WordPress User Enumeration + Recruitment Data
Full WordPress REST API with user enumeration, 168 media files, 22 posts, XML-RPC enabled with 80+ methods. Military-enrollment forms, an employee newsletter system, and candidate-eligibility lists publicly reachable via the REST API. The Code Snippets plugin (arbitrary PHP execution) and application-password auth are enabled.
mpce.gouv.ht
Ministry of Planning — HIGH
WordPress 6.9.1 + Divi child theme on Apache, responding 200 with an enumerable surface. One of six live ministry domains out of thirteen probed; the other seven do not resolve in public DNS at all.

3,233 Citizens in One Spreadsheet

The single most damaging artifact was not a database. It was a public file on the Customs site: DOUANE-GOUV/downloads/Liste-des-candidats-retenus.xlsx — the complete list of 3,233 candidates retained for the Haiti Customs (AGD) examination, each row carrying full personal data. 

Code         | Last Name  | First Name   | Sex | Phone            | Department
OE12AG7570   | Abdon      | Gerald       | M   | (+509) 5544-6924 | OUEST
OE12AO1940   | Abel       | Osmane       | M   | (+509) 4019-1719 | OUEST
ND18AC1872   | ABEL       | CAMY         | M   | (+509) 3259-5650 | NORD_EST

A redacted twin (Liste-des-candidats-retenus-no_phone.xlsx) exists on the same server — proving the publisher knew the phone numbers were sensitive, then published the version that contained them anyway.

Across the wider document corpus, ODINT parsed 227 documents and EXIF-scanned 1,365 images recovered from public government endpoints. The aggregate yield: 59 unique email addresses, thousands of phone numbers, NIF tax identifiers, named individuals, budget and finance-law PDFs, and Customs operational data (SYDONIA container, port, and warehouse code tables — including a 895-row international port reference). Eighteen WordPress users, authors, and commenters were enumerated across the central bank (brh.ht), the tax directorate (dgi.gouv.ht, where a personal Gmail account is registered as an author), and other agencies, each with its public Gravatar hash.

A State on Shared Hosting

The structural finding is not any single vulnerability — it is the architecture. Haiti's government runs on commodity shared hosting. ODINT fingerprinted ministry and oversight sites on Bluehost, SiteGround, and Hostinger shared plans, several leaking their hosting origin through base64-encoded host headers. WordPress 6.9.1 recurs across unrelated agencies, suggesting a shared maintainer or template. Of the financial and oversight estate, 10 of 15 domains were live (five WordPress, two Laravel, one October CMS, one IIS/ASP.NET with detailed-error path disclosure). Of nine military and security domains, seven do not exist in public DNS — the Haitian state's digital security perimeter is, in large part, simply absent.

When a national police domain can be silently re-pointed at a fraud platform and nobody notices, the problem is not a missing patch. The problem is that no one is holding the keys.

Raw Data & Downloads

All collected evidence has been archived and is available for researchers, journalists, and civil-society organizations through ODINT's data server. The published archive contains the per-agency captures and the analytical recon reports; the enumeration tooling used to collect it is intentionally withheld.

Haiti — Full Collection — Complete OSINT archive, all agencies and reports
Browse
Recon Report — Passive reconnaissance of core ministry web infrastructure
View
Ministry Sweep Results — 13 ministry domains probed, 6 live
View
Financial & Oversight Sweep — 15 financial/oversight agency domains
View
Military & Security Sweep — 9 military/security domains incl. pnh.gouv.ht hijack
View
High-Value Subdomain Recon — Certificate-transparency targets incl. civitax.gouv.ht
View
FAES & civitax Probe — High-value target probe report
View
cPanel & Email Recon — Mail infrastructure incl. Customs Exchange 2016
View
Tech Stack Scan — CMS, server, and framework fingerprints
View
Gravatar Reverse Analysis — Identity resolution from public Gravatar hashes
View
Document PII Report — 227 documents parsed, combined PII findings
View
PII Master Report — Aggregated PII extraction from public API endpoints
View
DGI — Tax Directorate — Direction Generale des Impots captures
Browse
Douane — Customs (AGD) — Customs captures incl. candidate document set
Browse
civitax — Municipal Tax App — Recensement & Bordereau module captures
Browse
BRH — Central Bank — Banque de la Republique d'Haiti captures
Browse
MD — Ministry — WordPress REST API + media captures
Browse
Document Emails & Phones — Extracted contact identifiers from the corpus
View
Ministry & Agency Captures — DINEPA, MSPP, MENFP, MICT, MPCE, ONI, IGF, MAE, Primature
Browse
EXIF Report — Metadata from 1,365 scanned images
View
Web.config Scan — ASP.NET configuration exposure probe
Browse
Yoast Sitemap Index — Captured sitemap structure
View

OSINT Disclaimer

This report is based entirely on open-source intelligence (OSINT). No classified information was accessed. No confidential sources were used. No systems were breached. No authentication mechanisms were bypassed. All data referenced in this investigation was publicly available and served without access controls at the time of collection.

Every endpoint described here responded to unauthenticated HTTP GET requests. No passwords, tokens, or credentials of any kind were required or used. The enumeration tooling used to collect this evidence has been withheld from the public archive; only the captured material and analytical reports are published.

Compiled 2026 — Classification: OSINT — Open Source
Observatory for Digital Infrastructure and Network Transparency (ODINT)

© 2026 Observatory for Digital Infrastructure and Network Transparency.
501(c)(3) Public Charity · EIN 41-4306936 · Donations tax-deductible to the fullest extent allowed by law.

Home · Privacy · Terms

Donate