Comelec Hack: 2013, 2016 and revelation of #pr.is0n3r

Original Post:

Many of you may not know that the Commission of Election website ( became a target by Anonymous Philippines led by a user with handle #pr.is0n3r before the 2013 general election.
During that time a video was published by the same user, mainly giving “COMELEC” a warning of possible electoral fraud. Allegedly, PCOS machines can be tampered and CF cards can be manipulated.

The end part of the video showed the COMELEC website being penetrated using SQL injection. Data was extracted from the COMELEC Database wherein it appeared to be also downloaded locally.
Do you think Comelec is seriously securing your personal information?
I have tried to reach the user behind the handle pr.is0n3r and asked him if he still has access in the comelec website, he replied with revelations. According to him:
  • In 2013, before he got access to COMELEC’s server, somebody had an uploaded web shell already. Guess who? Our friendly neighbor – China. ( The same with Banko Sentral ng Pilipinas )
  • The last time he had access was after the 2016 defacement.
  • About 5 critical vulnerabilities can be exploited in the website.
  • He is 99% sure he can access the website once it’s up again.
  • He is most concerned of the government being unaware that we are already infiltrated by foreigners and only react to the latest defacement/leak. …”hindi nila alam na hacked na sila matagal na ng taga ibang bansa. Na gather na nila ang info natin sir matagal na. Hindi lang nag rereact ang mga chinese hackers, yun ang nakakatakot dahil tahimik sila at we dont know ano ang plans nila.”

additional information by #pR.is0n3r in Anonymous Philippines page.

Comelec Hack 2016

Late Sunday night of March 27, 2016 – Anonymous Philippines struck again by defacing the comelec website. The hacktivists also provided a video with similar message to the 2013 version.
The difference between the two is that the 2016 version showed hackers gaining root privileges by leveraging what appears to be an XPath injection vulnerability.
Hours later that defacement, a hacker group calling themselves as Lulzsec Pilipinas claimed to have compromised the comelec site as well then accessed and dumped its Database over the web. That’s 300+GB of compressed data.
An investigative report by Trendmicro said the leaked database contained a huge number of sensitive personally identifiable information (PII).
Comelec doesn’t seems to take serious security measures, even displaying sensitive info in plain text!
After the 2013 attack, COMELEC should have known and expected the possibilities of being hacked again. And yet, they seem to not care at all.
In the case of recent hacking incident, COMELEC should have filed a report to National Privacy Commision in which they didn’t. Why? Do they really value protecting our sensitive info – the Filipino people? They have failed us.

Paul Biteng

A friend of mine, Paul Biteng was nabbed by NBI agents in his house last Wednesday night. He was tagged as suspect of the latest defacement, where media reports said he admitted but not of the database leakage.
For the information of everybody, I and Paul along with our friends at Invalid Web Security are active participants of bug bounty programs.
We strongly believe Paul is not part of the database leakage. We are standing behind him through all of this.
Whatever is being uploaded on the web will always be on the web. ask!