[ad_1]
Another data breach at controversial startup Clearview AI: On a negligently configured server of the American company that specializes in automatic facial recognition, there were temporarily sensitive internal files like the source code of the biometric application, terminated applications for Android operating systems, iOS, Mac and Windows, 70,000 videos and access ID for free access messaging operational communication through the Internet. Anyone with knowledge of the vulnerability could have easily picked up the company’s crown jewels.
Open to user records
Mossab Hussein, an employee of Dubai-based computer security company SpiderSilk, discovered the open flank and created the online magazine Techcrunch Aware of this, he had previously informed Clearview of the leak, which had been sealed. According to the report, data storage accessible over the network was protected by a password query, but the system allowed it to register as a new user without any prerequisites and to log in with the user IDs it had created.
The source code stored in the server directory that can be accessed in this way could be used, for example, to compile and run your own applications for the solution. The company’s service allows users to take a photo of a person, upload it, and compare it to a database of around three billion portraits that Clearview compiled largely from social media. This makes it easy to discover the identity of the person photographed.
Test run: residential buildings in Manhattan
Among other things, Hussein also managed to take screenshots of how the iOS app works using the example of a photo uploaded by Facebook founder Mark Zuckerberg. Apple blocked the app in late February because Clearview violated the terms of use for its proprietary developer program. The app, like the Android version, had previously been accessible on Amazon’s public cloud storage. Facebook, Google and Twitter have also asked the startup to remove all removed facial images from their networks.
According to Hussein, the Clearview server also contained secret keys for additional cloud storage, which in addition to the executable software also contained some applications that were still in the development stage and access tokens for the Slack messaging service, which could be used to access to private messages from employees without password can. The tens of thousands of videos with photos of people also on file are said to have come from a test run by the company-designed “Insight Camera” on a residential building in Manhattan.
Prototyping stopped
Work on the prototype has now been discontinued, Clearview managing director Hoan Ton-That said. Techcrunch. The videos were used only for “debugging purposes” and were created “with the permission of the building administration”. It left open whether interested residents and visitors had been informed of their ongoing surveillance and had consented to the move.
Ton-That also claimed that Clearview had subjected the misconfigured host server to a “full forensic audit.” The result of the verification was that “no other unauthorized access was made.” Personal information, searches, or biometric characteristics of app users and affected internet users were not lost.
Possible data protection breaches
Two months ago, Clearview’s customer list had already fallen into the hands of hackers and was later processed by the media. Contrary to public assertion, not only law enforcement agencies are among the users of the service, but also many department store chains. Several lawsuits against the company are pending in the United States. The Vermont Attorney General is investigating whether this violated data protection regulations. In this country, Hamburg’s data protection officer Johannes Caspar has launched an investigation against the company.
(tiw)
