Cybersecurity Firm Finds A Bunch Of Clearview's Secret Stuff Sitting Around In An Poorly-Secured Cloud Storage Bucket
from the just-scraping-it-from-the-unsecured-web-so-to-speak dept
As if we needed any further evidence that Clearview is a terrible company. The web-scraping, facial recognition provider has been pitching its unproven tech to an assortment of law enforcement agencies, one-percenters, and questionable governments for a little while now. It shows no sign of slowing down either, no matter how many people (including members of Congress) are now aware of its business practices and cheerful exploitation of billions of images found all over the web.
Someone grabbed a few internal Clearview documents and shared them with BuzzFeed earlier this year. Maybe they shouldn't have bothered. Clearview likes harvesting data and images as quickly as possible. But it's apparently less concerned with keeping its scraped stash secure from outsiders. As Zack Whittaker reports for TechCrunch, Clearview's internal files have been accessed by a security researcher, giving us yet another reason to distrust Hoan Ton-That's company.
Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.
The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.
If you've ever wanted to roll your own affront to humanity, Clearview helpfully left a starter kit out in the open. Of course, it's nothing without a few billion scraped images, so it's not exactly an all-in-one-kit. Maybe some Clearview insider could have hooked Hussein up with its stash of personal info. Couldn't have hurt to ask. And he could have. Included in the repository were the company's Slack tokens, which would have allowed anyone to access the company's internal communications. Also included in the storage buckets: 70,000 security cam videos of residents entering and leaving a residential building.
Hussein did disclose this issue to Clearview, but declined to take the offered bug bounty since it would have forbidden him from publicly discussing his findings. For refusing to shut up, Hussein was thanked by being called a criminal by Clearview's founder.
Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.
Lovely. Well, I'm sure this won't be the last public gaffe by the Company Most Likely To Trigger New Privacy Legislation (State or Federal). People have seen things Clearview never wanted them to see. And they've shared this stuff with the public, which now knows quite a bit about this app-based embodiment of oversharing and the damage done. It's in the midst of a very Ring-esque news cycle where every bit of new reporting makes it look even worse. But unlike Ring, it doesn't have the billions of Amazon to back it when its fortunes start to fade.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: facial recognition, leaks, mossab hussein, security, source code
Companies: clearview, clearview ai, spidersilk
Reader Comments
Subscribe: RSS
View by: Time | Thread
Bad data security
Bad data security seems to be a relentlessly common and effective contributor of sunshine.
[ link to this | view in thread ]
So the security researchers found this stuff in
Clearview (with a simple workaround)?
[ link to this | view in thread ]
When they claim extortion, you know its 5x's worse than reported.
[ link to this | view in thread ]
'Extortion' = 'refused to be paid to shut up' I guess
Hussein did disclose this issue to Clearview, but declined to take the offered bug bounty since it would have forbidden him from publicly discussing his findings. For refusing to shut up, Hussein was thanked by being called a criminal by Clearview's founder.
Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.
Because nothing says 'please, if you find a problem with our systems tell us' quite like accusing someone of extortion because they told you about a major problem, refused to take what is essentially hush money, and then told the public as well. I can only hope that the next time someone finds a major problem they see how this firm was treated and goes straight to the public with an anonymous release, because if ClearView is going to slag anyone who exposes their mistakes anyway why waste time going to them in the first place, just let them find out right alongside everyone else.
[ link to this | view in thread ]
A Clear view of ClearView is frightening.
[ link to this | view in thread ]
I'm from the Government...
[ link to this | view in thread ]
I'm from the Government...
... and I'm here to help.
We'll be sending a couple of NSA folks and a CIA sniper team to handle this. Once we have all the data we don't already have, we'll ensure your freedoms.
Trust us.
[ link to this | view in thread ]