Cybersecurity Firm Finds A Bunch Of Clearview's Secret Stuff Sitting Around In An Poorly-Secured Cloud Storage Bucket

from the just-scraping-it-from-the-unsecured-web-so-to-speak dept

As if we needed any further evidence that Clearview is a terrible company. The web-scraping, facial recognition provider has been pitching its unproven tech to an assortment of law enforcement agencies, one-percenters, and questionable governments for a little while now. It shows no sign of slowing down either, no matter how many people (including members of Congress) are now aware of its business practices and cheerful exploitation of billions of images found all over the web.

Someone grabbed a few internal Clearview documents and shared them with BuzzFeed earlier this year. Maybe they shouldn't have bothered. Clearview likes harvesting data and images as quickly as possible. But it's apparently less concerned with keeping its scraped stash secure from outsiders. As Zack Whittaker reports for TechCrunch, Clearview's internal files have been accessed by a security researcher, giving us yet another reason to distrust Hoan Ton-That's company.

Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.

The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.

If you've ever wanted to roll your own affront to humanity, Clearview helpfully left a starter kit out in the open. Of course, it's nothing without a few billion scraped images, so it's not exactly an all-in-one-kit. Maybe some Clearview insider could have hooked Hussein up with its stash of personal info. Couldn't have hurt to ask. And he could have. Included in the repository were the company's Slack tokens, which would have allowed anyone to access the company's internal communications. Also included in the storage buckets: 70,000 security cam videos of residents entering and leaving a residential building.

Hussein did disclose this issue to Clearview, but declined to take the offered bug bounty since it would have forbidden him from publicly discussing his findings. For refusing to shut up, Hussein was thanked by being called a criminal by Clearview's founder.

Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

Lovely. Well, I'm sure this won't be the last public gaffe by the Company Most Likely To Trigger New Privacy Legislation (State or Federal). People have seen things Clearview never wanted them to see. And they've shared this stuff with the public, which now knows quite a bit about this app-based embodiment of oversharing and the damage done. It's in the midst of a very Ring-esque news cycle where every bit of new reporting makes it look even worse. But unlike Ring, it doesn't have the billions of Amazon to back it when its fortunes start to fade.

Filed Under: facial recognition, leaks, mossab hussein, security, source code
Companies: clearview, clearview ai, spidersilk