# CRITICAL FINDINGS — Colombia OSINT Campaign ## Date: 2026-02-25 --- ## SEVERITY: CRITICAL ### 1. GCP Service Account Private Key — PUBLICLY EXPOSED - **URL**: https://www.colombiahumana.co/portal/wp-content/themes/colombiahumana/colombia-humana-2024-ea35973a5d65.json - **Project**: colombia-humana-2024 - **Email**: google-analytics-asamblea-2024@colombia-humana-2024.iam.gserviceaccount.com - **Client ID**: 106731429309082488283 - **Private Key ID**: ea35973a5d652bc0c138e22d6f9b0983b696a36f - **Full RSA private key downloaded** — can authenticate as this service account - **Impact**: Access to Google Analytics data, potentially Cloud Storage, BigQuery, or any other GCP service this account has IAM permissions for - **Local file**: `colombia-humana/gcp-service-account-key.json` ### 2. AWS STS Credentials — LEAKED ON EVERY PAGE LOAD - **URL**: https://app.ia.policia.gov.co - **AWS Account**: 926162397524 - **S3 Bucket**: pon-prod-ai-platform-926162397524 - **Region**: us-east-1 - **Access Key**: ASIA5PI4UVFKL3IFXKMF (rotates per page load, 15-min expiry) - **Impact**: Temporary S3 access to police AI platform bucket on every page load. Automated harvesting of fresh tokens is trivial. - **Local file**: `police-ai/aws-credentials-extracted.json` ### 3. AWS Cognito User Pool — EXPOSED - **User Pool ID**: us-east-1_s8S1IYnxv - **API Gateway**: https://qb4jva2046.execute-api.us-east-1.amazonaws.com - **Source**: nadia.ia.policia.gov.co JS bundle (2.4MB) - **Impact**: User enumeration, potential brute force against Cognito auth. API Gateway endpoint is the backend for the police AI system running 10 AI models via Amazon Bedrock. - **Local file**: `police-ai/nadia-infrastructure.json` ### 4. 1,870 Delegate PII Records — NO AUTHENTICATION - **URL**: https://decidim.colombiahumana.co/index.php?action=get_confirmados - **Data**: Full names (nombres + apellidos) + national ID (cédula) numbers for 1,870 political delegates - **Cédula lookup**: POST /index.php with action=confirmar_datos&cedula=[number] returns masked email - **Impact**: Mass identity theft, targeted political harassment, social engineering - **Local file**: `colombia-humana/decidim-confirmados.json` (267KB) ### 5. 9 ArcGIS Servers — NO AUTHENTICATION (25GB) - **ergit.presidencia.gov.co** — Military conflict maps, armed group territories (ELN, AGC, EMC), FARC reintegration GPS coords, 22 human rights services, victim data (320MB), peace signatory attack data - **gis.dnp.gov.co** — 7 IHEH military services, 3 CTT military geovisors, national security plan, land registry - **sig.upra.gov.co** — 12GB of agricultural zoning data, 2026 municipality/department boundaries - **geovisor.anh.gov.co** — 27,274 oil/gas wells with GPS, seismic data, hydrocarbon land parcels - **sig.catastrobogota.gov.co** — Full Bogota property database: valuations, building heights, census blocks - **sig.car.gov.co** — Environmental cartography, mining titles, watershed data, protected areas - **mapas.parquesnacionales.gov.co** — National park boundaries, zoning, conservation priorities - **sig.minambiente.gov.co** — Hydrographic data - **gis.contraloria.gov.co** — 26,089 government infrastructure project records - **Impact**: Military operational data, intelligence on armed groups, critical infrastructure locations, property/land valuations for entire cities, hydrocarbon exploration data --- ## SEVERITY: HIGH ### 6. Police AI Platform — Full Architecture Exposed - **5 subdomains**: app.ia, nadia.ia, maps.analytics.ia, catalog.ia, iam.ia (policia.gov.co) - **10 AI models** via Amazon Bedrock (Claude 4 Opus/Sonnet, Claude 3.x family, Titan, Cohere) - **Vendor**: Houndoc.ai — Colombian AI startup - **Session cookies**: secret=ogPXHONRigakoecq, ds cookie expires **2035** - **Impact**: Complete understanding of police AI capabilities, attack surface for the entire platform ### 7. Agora Party Management — 869 Admin Routes Exposed - **URL**: https://agora.colombiahumana.co - **Framework**: Laravel + Inertia.js + Vue (Sanctum auth) - **CSRF Token**: A19TNRvHnFhVqYv8tVp0e9CghWMSJ89MyeZyVN6F - **Routes cover**: Assemblies, candidacies, campaigns (email/WhatsApp/SMS), contracts, electoral processes, voters, witnesses, OTP dashboard, file management, system config - **Impact**: Complete route map enables targeted exploitation if any auth bypass is found ### 8. WordPress XMLRPC — Enabled on 2 Instances - **Portal**: https://www.colombiahumana.co/portal/xmlrpc.php - **CRM**: https://crm.colombiahumana.co/xmlrpc.php - **Methods**: system.multicall, wp.getUsersBlogs, wp.getComments, metaWeblog.*, blogger.* - **Impact**: Brute force authentication, pingback DDoS amplification, credential stuffing ### 9. Nextcloud with Impersonation App - **URL**: https://nube.colombiahumana.co - **Version**: 30.0.6.2 - **Apps**: impersonate (admin can act as any user), snappymail, libresign, forms - **Federated sharing**: ENABLED - **Impact**: If admin credentials compromised, impersonate app allows access to ALL user accounts ### 10. Cédula PDFs in WordPress Media - **URL**: https://www.colombiahumana.co/portal/wp-json/wp/v2/media - **Files**: cedula-76.pdf (national ID document), affiliation/disaffiliation letters - **Impact**: Physical identity document publicly downloadable --- ## SEVERITY: MEDIUM ### 11. WordPress Admin Users Enumerated - **danielb** (ID: 1) — Original admin, Gravatar: ce83a5795ede85204e18dbbe51df96737a0f91b6b6ef0808afb9a8a49664cd30 - **luischavarria** (ID: 3) — Admin, Gravatar: d8177c2a6a66c5fbb6d2f2c4c8d86d313f01246a29887474873a08030906f5c4 - **nuevo2024luischavarria** (ID: 139585) — New account (likely password reset), Gravatar: 058acf5609214ff3c5b209a51411b48eed9ae0fb7b21fa1bfa392538e6cfa9ff ### 12. Google Analytics Debug Info Leaked - **GA Property ID**: 469597137 - **Server path**: /www/wwwroot/colombiahumana.co/portal/ - **Credentials path**: /www/wwwroot/colombiahumana.co/portal/wp-content/themes/colombiahumana/colombia-humana-2024-ea35973a5d65.json - **Impact**: Server filesystem structure revealed, credential file path confirmed ### 13. 20 Form Structures (Formidable Forms) - PII collection forms: affiliate registration (name, DOB, cédula, email, phone, address, ethnicity, disability, LGBTQ+, displacement status, ID photo) - Jury nomination forms, assembly confirmation, disaffiliation records - Entry data (submissions) returns 403 — structure only ### 14. CRM API Schema (181 Groundhogg Routes) - Contacts, companies, emails, broadcasts, funnels, campaigns, tags, searches, reports - All return 401 (auth required) but full API surface is mapped ### 15. DNS Verification Tokens - Google: ZbFu0BAhJKxdmmP1uDBmrB3APD7G290CWV3l8ieJ_Lw - Microsoft 365: ms11844033, ms33132372, ms37011212 - GlobalSign: ynqUB_TdDIexM50K56_qt2QTD06Rk96h9QVlmsE_CG - Cisco CI: 50f370706a12aaca6d1d02152128404936a7b128da5b6237a2b36ef5f5a37094 --- ## TOTAL IMPACT SUMMARY | Category | Count | Data Volume | |----------|-------|-------------| | ArcGIS servers (no auth) | 9 | 25GB | | Credentials exposed | 4 (GCP key, AWS STS, Cognito, CSRF) | — | | PII records | 1,870 delegates | 267KB | | Admin users enumerated | 3 WordPress + Cognito pool | — | | API routes mapped | 1,050+ (869 Agora + 181 CRM) | — | | Form structures | 20 (PII collection) | — | | Government project records | 26,089 | 31MB | | Oil/gas wells | 27,274 | 16MB | | Property valuations | Full Bogota | 2.4GB | | Military/intelligence services | 22+ | 2.8GB | | **Grand Total** | **1,082 files** | **~25GB** |