President intervenes in release of blogger arrested for demonstrating weakness in national on-line database

An Ecuadorian blogger who documented a security hole in Ecuador’s national online identity database by registering as the nation’s president was released from jail today after the president personally intervened in the matter.

Authorities arrested Paul Moreno on Friday after he documented how he created an account under President Rafael Correa’s name in the national identity database, DatoSeguro. The portal allows citizens to access personal information kept by various government institutions. Moreno notes that the database contains personal information such as criminal records, foreign travel, vehicle registration, property registration and college degrees.

Citing a Wired story on password security, Moreno set out on Nov. 26 to demonstrate a security flaw in DatoSeguro with an attention-getting proof of concept scheme: accessing President Correa’s account. He began by doxing the president, and once equipped with Correa’s date of birth and a national identification number — obtained via online searches — he had two of the three pieces of information he needed. The third was a set of two numbers from an identity card, which he simply guessed. With that, he had access to Correa’s account.

“Out of curiosity, I noticed one time that the fingertip digits in the IDS are all very similar,” he wrote on his blog. “There’s a V or an E or an A followed by various numbers: V23444 – E5444 and so on…combinations that are very simplistic, apparently. The system asked me for the third and fourth numbers of the fingertip digits. With the first combination, I got the numbers right and my account was created. After verifying the email the system sends, I had access to all Rafael Vicente Correa Delgado’s so-called secure data. It took me about half an hour, maybe less.”

Moreno posted screenshots to back up his claims and called for DatoSeguro to change policies so that identity verification is done in person.

Instead of succeeding in getting the government to change its policies, Moreno was arrested. He was to be held for 45 days during an investigation, according to El Comercio. This sparked a social media outcry, particularly on Twitter, where the hashtag #LiberenaPaulcoyote took off over the weekend. (@PaulCoyote is Moreno’s Twitter user name.)

Correa took notice of the controversy, and ordered Moreno released today. According to El Comercio, he noted that he had nothing to hide and that “I give permission to publish all my data.”