Researchers claimed to have found a publicly accessible database containing nearly 28 million records – including plain text passwords, face photos, and personal information ̵
vpnMentor researchers reported Wednesday that the database was used by the Biostar 2 web-based security system sold by Suprema in South Korea. Biostar uses face recognition and fingerprint scans to identify people eligible to enter camps, community buildings, businesses and banks. According to vpnMentor, the system has more than 1.5 million installations in a variety of countries, including the US, UK, Indonesia, India and Sri Lanka.
According to vpnMentor, the 23 gigabyte database contained more than 27.8 million Biostar datasets used to secure customer facilities. The data included plain text usernames, passwords and user IDs, access log authoring, employee records including startup data, personal information, mobile device data, and facial images.
"Ridiculously Simple Passwords"
"One of the more surprising aspects of this vulnerability was how unsecured the account passwords we accessed," wrote vpnMentor Internet privacy researchers Noam Rotem and Ran Locar. "Many accounts had ridiculously simple passwords like" password "and" abcd1234. "It's hard to imagine that people still do not know how easy it is for a hacker to access their account."
The researchers said that the data also contained more than 1 million records of actual fingerprint scans The Wednesday's report did not contain any data to substantiate this claim The vpnMentor researchers did not respond to Ars' request to send samples of recordings containing such scans TechCrunch security reporter Zack Whittaker said on Twitter that his investigation of multiple encrypted hashes was inconclusive.
Security experts agree that the best way to store or transfer biometric data is to use them first to hack to prevent third parties from obtaining in case of a breach If it turns out that the database contains more than 1 million actual fingerprints, it would be a grave offense as the individuals who received the imprints and the companies the employees worked for would be subject to fraud. Unlike passwords, fingerprints can not be changed.
Some of the organizations whose information was public were:
- Coworking Space in Uptown – Jakarta with 123 users.
India and Sri Lanka
- Power World Gyms – high caliber gym franchise with offices in both countries. We accessed 113,796 user records and their fingerprints.
United Arab Emirates
- Global Village – An annual cultural festival with access to 15,000 fingerprints.
- IFFCO – Consumer Food Products Group.
- Ostim – construction developer for industrial areas.
- Inspired.Lab – co-working and design space in Chiyoda City, Tokyo.
- Adecco Staffing – We found about 2,000 fingerprints related to the staff and staff giants.
- Identbase – Data belonging to this provider of commercial ID and access card printing technology were also found on the Internet exposed database.
According to a report released on Wednesday, the researchers found the database via an Internet mapping project in which ports of known IP blocks were examined for vulnerabilities.
"The team discovered that large parts of the BioStar 2 database are unprotected and largely unencrypted," the researchers wrote. "The company uses an elasticsearch database, which is not normally designed to use URLs, but we could access it through a browser and manipulate the URL search criteria to make huge amounts of data available."
In addition to storing the information in a Laut vpnMentor researcher, it was also possible to add, delete or modify records in a globally readable Suprema database. This left open the possibility of adding records to allow unauthorized people to access sensitive Web sites. It also opens the door for identity theft, phishing attacks, extortion and extortion.
The vpnMentor researchers said they had discovered the exposed database on August 5, and privately reported the find two days later. The data was not backed up until Tuesday, six days later. Representatives of Suprema did not respond to a request for comment on this story.