While working on a web-mapping project, vpnMentor researchers Noam Rotem and Ran Locar discovered a publicly accessible database containing fingerprint records of over 1 million users, facial recognition information, personal information and much more.
The database is run by Suprema, a global corporation headquartered in South Korea, and it’s where information gathered through its web-based Biostar 2 smart lock platform is stored.
Biostar 2 uses facial recognition and fingerprinting technology to identify users and is used by various organizations to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs.
“The team discovered that huge parts of BioStar 2’s database are unprotected and mostly unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data,” the researchers explained.
The exposed data includes unencrypted biometric data (fingerprint and facial); images of users; unencrypted usernames, passwords, user IDs; personal employee info (e.g., home address and email); employee records, security levels and clearances; records of entry and exit to secure areas; access to client admin panels, dashboards, back end controls, and permissions.
The researchers have identified a number of organizations across the world whose users’ or employees’ information is stored in the database – banks, defense contractors, even the UK Metropolitan police. All in all, the researchers were able to access access 23 gigabytes of data, containing over 27.8 million records.
The danger of leaked information
“With this leak, criminal hackers have complete access to admin accounts o ..