Massive biometric security flaw exposed nearly 28 million records

Shawn Knight

Shawn Knight

Posts: 15,291   +192
Staff member
The big picture: The good news is that as of Wednesday morning, the vulnerability had been closed. The bad news? The service is in use at 1.5 million locations globally. Worse yet is the fact that unlike passwords, once biometric data like fingerprints are leaked, you can’t change them.

Security researchers with vpnmentor, a service that reviews virtual private network providers, recently found a publicly accessible database that was unprotected and mostly unencrypted.

The database in question belonged to Suprema, a security company that’s responsible for the widely used Biostar 2 biometrics lock system in use at facilities around the globe. By manipulating URL search criteria in Elasticsearch, the researchers were able to gain access to a database with nearly 28 million records.

Said database included 23GB worth of data including fingerprint data, facial recognition data, dashboards, admin panels, images of faces, facility access lots, security levels and clearances, unencrypted usernames and passwords and personal details of staff.

In testing, the researchers said they were able to access data from a medicine supplier in the UK, a car parking space developer in Finland, a gym in India and co-working organizations in the US and Indonesia. They were even able to change data and add new users.

Masthead credit: holographic fingerprint by ktsdesign

Permalink to story.

https://www.techspot.com/news/81443-massive-biometric-security-flaw-exposed-nearly-28-million.html

 
LMAO

One more revelation of the era of Trump.

Keep em coming.

I knew exactly why I still use numbers for unlocking my stuff. Your old god called convenience betrayed you.

In other news in china the face replaces the signature.
 
Last edited:
  • Like
Reactions: Misagt
The Police all over the world would surely like to get all those fingerprints and ID to add to their database. I bet they would dare to add it without any authorization if the flaw allowed it.
 
Nero7 said:
LMAO

One more revelation of the era of Trump.

Keep em coming.

I knew exactly why I still use numbers for unlocking my stuff. Your old god called convenience betrayed you.

In other news in china the face replaces the signature.
Click to expand...
RREEEEEEEEE!!!
 
  • Like
Reactions: Impudicus
I typed out a random funny comment for this, and then I was just like... yup, just another day and started asking why this is acceptable for companies. The fines for these data breaches should potentially put companies OUT of business, then they will start worrying more about being "The best decision to protect your business." but I suppose that would give more control to government and nobody really wants that, but maybe we need it. Companies don't actually care about our personal data, and apparently only have a light obligation to worry about it. Other news, we get $100 for the Equifax data breach? I know that adds up, but individually, if your information is compromised that's worth a lot more than $100... but I guess that's just my opinion.
 
  • Like
Reactions: wiyosaya and Nero7
Ho. Ly. Sh. It.
Yet another case of security having no security. Thanks guys!
I must send my CV to them, looks like they'll hire anyone, no security competence needed.
 
ROFLMAO ..... well, so much for secure log on's ...... just wait until they break into the data bank with all those eyeball records!
 
You must log in or register to reply here.

Similar threads

Cal Jeffrey
Microsoft left a server containing employee credentials exposed to the internet for a month
Replies
3
Views
102
plambert2015
P
midian182
Massive leak exposes 26 billion records in mother of all breaches
Replies
11
Views
361
RudyBob
RudyBob
midian182
Google awarded $10 million in bug bounties last year, the second highest in the program's...
Replies
2
Views
146
toooooot
T

Latest posts

Back