Journalists say a vulnerability in the Russian Defense Ministry's website makes it easy to get captured soldiers' personal data

11:36, 6 february 2018

Fontanka.ru journalist Denis Korotkov was able to access the Defense Ministry personal account of Major Roman Filipov, who died over the weekend in Syria after he was shot down by insurgents.

Fontanka says it managed to access his account using just the soldier’s serial number and birthdate — information that the government was required to release under Article 17 of the Geneva Convention. The website says this is enough information to access any Russian soldier’s personal account on the Defense Ministry’s online portal, where you can find a soldier’s salary, housing data, and more.

Russia’s Defense Ministry responded by accusing Fontanka of violating journalistic ethics and breaking privacy laws. According to officials, Filipov simply didn’t have time to set up his password, “and so Mr. Korotkov of Fontanka did it for him.”

Fontanka fired back with an editorial explaining that they were able to bypass the login/password interface by triggering a password-reset, which only required Filipov’s serial number and birthdate. This process could be repeated with any Russian soldier who is taken captive and whose serial number and birthdate are released by Moscow under the Geneva Convention. “We’re not hackers, after all, but journalists,” the editorial says. “We don’t have cyber-troops, and you know perfectly well who does.”