Cybersecurity Firm Finds A Bunch Of Clearview's Secret Stuff Sitting Around In An Poorly-Secured Cloud Storage Bucket

from the just-scraping-it-from-the-unsecured-web-so-to-speak dept

As if we needed any further evidence that Clearview is a terrible company. The web-scraping, facial recognition provider has been pitching its unproven tech to an assortment of law enforcement agencies, one-percenters, and questionable governments for a little while now. It shows no sign of slowing down either, no matter how many people (including members of Congress) are now aware of its business practices and cheerful exploitation of billions of images found all over the web.

Someone grabbed a few internal Clearview documents and shared them with BuzzFeed earlier this year. Maybe they shouldn’t have bothered. Clearview likes harvesting data and images as quickly as possible. But it’s apparently less concerned with keeping its scraped stash secure from outsiders. As Zack Whittaker reports for TechCrunch, Clearview’s internal files have been accessed by a security researcher, giving us yet another reason to distrust Hoan Ton-That’s company.

Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.

The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.

If you’ve ever wanted to roll your own affront to humanity, Clearview helpfully left a starter kit out in the open. Of course, it’s nothing without a few billion scraped images, so it’s not exactly an all-in-one-kit. Maybe some Clearview insider could have hooked Hussein up with its stash of personal info. Couldn’t have hurt to ask. And he could have. Included in the repository were the company’s Slack tokens, which would have allowed anyone to access the company’s internal communications. Also included in the storage buckets: 70,000 security cam videos of residents entering and leaving a residential building.

Hussein did disclose this issue to Clearview, but declined to take the offered bug bounty since it would have forbidden him from publicly discussing his findings. For refusing to shut up, Hussein was thanked by being called a criminal by Clearview’s founder.

Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

Lovely. Well, I’m sure this won’t be the last public gaffe by the Company Most Likely To Trigger New Privacy Legislation (State or Federal). People have seen things Clearview never wanted them to see. And they’ve shared this stuff with the public, which now knows quite a bit about this app-based embodiment of oversharing and the damage done. It’s in the midst of a very Ring-esque news cycle where every bit of new reporting makes it look even worse. But unlike Ring, it doesn’t have the billions of Amazon to back it when its fortunes start to fade.

Filed Under: , , , ,
Companies: clearview, clearview ai, spidersilk

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Cybersecurity Firm Finds A Bunch Of Clearview's Secret Stuff Sitting Around In An Poorly-Secured Cloud Storage Bucket”

Subscribe: RSS Leave a comment
8 Comments
That One Guy (profile) says:

'Extortion' = 'refused to be paid to shut up' I guess

Hussein did disclose this issue to Clearview, but declined to take the offered bug bounty since it would have forbidden him from publicly discussing his findings. For refusing to shut up, Hussein was thanked by being called a criminal by Clearview’s founder.

Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

Because nothing says ‘please, if you find a problem with our systems tell us’ quite like accusing someone of extortion because they told you about a major problem, refused to take what is essentially hush money, and then told the public as well. I can only hope that the next time someone finds a major problem they see how this firm was treated and goes straight to the public with an anonymous release, because if ClearView is going to slag anyone who exposes their mistakes anyway why waste time going to them in the first place, just let them find out right alongside everyone else.

Real News (profile) says:

A Clear view of ClearView is frightening.

The reason a clear view of ClearView is frightening — is due to the amount of access to those who are in law enforcement and, as lazy and dumb as say, ClearView.

Then consider others — say Jared Kushner types. They are dumb, but believe themselves to be smart. They are only smart enough to hire good counsel. These types always work hard to allow their greed to blossom.

These types work hard to first connect, then attempt to bond with the international criminals they’ve chosen to emulate.

They may or may not succeed. Still, the public remains, screwed.

Real News (profile) says:

A Clear view of ClearView is frightening.

The reason a clear view of ClearView is frightening — is due to the amount of access to those who are in law enforcement and, as lazy and dumb as say, ClearView.

Then consider others — say Jared Kushner types. They are dumb, but believe themselves to be smart. They are only smart enough to hire good counsel. These types always work hard to allow their greed to blossom.

These types work hard to first connect, then attempt to bond with the international criminals they’ve chosen to emulate.

They may or may not succeed. Still, the public remains, screwed.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...