Many Spanish companies participate in public procurement procedures launched by the administrations (in fact, there are not a few whose activity depends largely on such participation).

For them, a few years ago they launched the ROLECE (Official Registry of Bidders and Classified Companies of the Public Sector)which allows them to reduce bureaucracy by grouping all the information necessary for public administration in a single document, processed electronically.

What interest can ROLECE have for a hacktivist?

But, at the same time that it facilitates the procedures for companies, the information contained in such a register could be of great use to journalists and activists allowing information to be crossed with other databases, and thus detecting ‘curious’ patterns…

…for example: that certain business administrators tend to be ‘awarded’ with public contracts more frequently in regions or municipalities of a certain political color.



The ROLECE website.

This being the case, it is not surprising that ROLECE ended up attracting the attention of Jaime Gómez-Obregón, an engineer and ‘hacktivist’ known for having launched a transparency platform on public procurement in Cantabria and later on, another about the irregular donations of Juan Carlos I:

“I use information technology and open data to surface, expose and wipe out scams and corruption in the Public Sector.”



Form on the website of the Ministry of Finance.

So it quickly detected that the Law on Public Sector Contracts is being breached, which establishes that the ROLECE “will be public and can be accessed openly after identification”and that a regulation “will determine the modalities and requirements for publicizing the Registry”… but access (via digital certificate) only gives access to your own registration in the registry (if you had it), not the whole of it.

This is how the ROLECE was ‘hacked’ from the Treasury website

But Gómez-Obregón has explained in a twitter thread how he managed to download all the data from the ROLECE by ‘hacking’ the website of the Company Classification Records Consultation service, which extracts his data from it.

“The search engine forces me to enter a minimum of four letters of the contractor’s name. Why do they do this? What a desire to hinder access to public data!” “I could brute-force the entire listing, automating iterative searches (AAAA, AAAB… ZZZY, ZZZZ), but that would be inefficient bullshit: 26×26×26×26 = 456,976 searches. There has to be another way.”

Our protagonist thought that the validation of the input data of a web form can be done at two points in the request-response cycle: good on the client (the user’s browser), good on the server (the Treasury application).



Inspecting the input field.

“It is always recommended to validate the data at least on the server. I observe that the Treasury browser validates the data on the client. My only hope is that they are not doing validation on the server as well.”

Next, the thread tells how a bit of JavaScript code allowed you to get around data validation from your browser’s consoleexponentially reducing the number of searches, first, and then making it easier for you to detect a GET call to the server via Ajax to which the server responded with a JSON file with the information you were looking for.

“These are public data. From a public registry that the Treasury serves on the internet. This is not a crime. It is releasing public data so that there is more transparency in public contracting!”

The next step was to provide a single character to the server that was capable of returning all records from the database. After failing to use white space, the visually indistinguishable Unicode character U+2800 (empty space in Braille), accomplishes the miracle:

I add eight more rows to the pigscript and recline contently on the imaginary dais of my fucking self while all the records are downloaded to my laptop. Now I have 10,747 more files to match with the hiring data! 🥳 Follow me for more recipes. 🤣 pic.twitter.com/3mcfFtwPwh — Jaime Gómez-Obregón (@JaimeObregon) March 20, 2022

Now, and since yesterday morning, the service Gómez-Obregón used to access the database is mysteriously and suddenly inaccessible (‘Service Unavailable’) on the website of the Ministry of Finance. “Too late”, states on Twitter our protagonist, “here you have the released dataset”.

To complete the move, he has contacted (also via Twitter) with the EU Open Data portal so that it stops linking to the Treasury website and starts linking to the open dataset you downloaded.