Cybersecurity Firm Finds A Bunch Of Clearview's Secret Stuff Sitting Around In An Poorly-Secured Cloud Storage Bucket

from the just-scraping-it-from-the-unsecured-web-so-to-speak dept

As if we needed any further evidence that Clearview is a terrible company. The web-scraping, facial recognition provider has been pitching its unproven tech to an assortment of law enforcement agencies, one-percenters, and questionable governments for a little while now. It shows no sign of slowing down either, no matter how many people (including members of Congress) are now aware of its business practices and cheerful exploitation of billions of images found all over the web.

Someone grabbed a few internal Clearview documents and shared them with BuzzFeed earlier this year. Maybe they shouldn't have bothered. Clearview likes harvesting data and images as quickly as possible. But it's apparently less concerned with keeping its scraped stash secure from outsiders. As Zack Whittaker reports for TechCrunch, Clearview's internal files have been accessed by a security researcher, giving us yet another reason to distrust Hoan Ton-That's company.

Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.

The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.

If you've ever wanted to roll your own affront to humanity, Clearview helpfully left a starter kit out in the open. Of course, it's nothing without a few billion scraped images, so it's not exactly an all-in-one-kit. Maybe some Clearview insider could have hooked Hussein up with its stash of personal info. Couldn't have hurt to ask. And he could have. Included in the repository were the company's Slack tokens, which would have allowed anyone to access the company's internal communications. Also included in the storage buckets: 70,000 security cam videos of residents entering and leaving a residential building.

Hussein did disclose this issue to Clearview, but declined to take the offered bug bounty since it would have forbidden him from publicly discussing his findings. For refusing to shut up, Hussein was thanked by being called a criminal by Clearview's founder.

Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

Lovely. Well, I'm sure this won't be the last public gaffe by the Company Most Likely To Trigger New Privacy Legislation (State or Federal). People have seen things Clearview never wanted them to see. And they've shared this stuff with the public, which now knows quite a bit about this app-based embodiment of oversharing and the damage done. It's in the midst of a very Ring-esque news cycle where every bit of new reporting makes it look even worse. But unlike Ring, it doesn't have the billions of Amazon to back it when its fortunes start to fade.

Filed Under: facial recognition, leaks, mossab hussein, security, source code
Companies: clearview, clearview ai, spidersilk


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Uriel-238 (profile), 17 Apr 2020 @ 4:00pm

    Bad data security

    Bad data security seems to be a relentlessly common and effective contributor of sunshine.

    reply to this | link to this | view in chronology ]

  • identicon
    Bobvious, 17 Apr 2020 @ 5:44pm

    So the security researchers found this stuff in

    Clearview (with a simple workaround)?

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 17 Apr 2020 @ 6:30pm

    When they claim extortion, you know its 5x's worse than reported.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 18 Apr 2020 @ 1:47am

    'Extortion' = 'refused to be paid to shut up' I guess

    Hussein did disclose this issue to Clearview, but declined to take the offered bug bounty since it would have forbidden him from publicly discussing his findings. For refusing to shut up, Hussein was thanked by being called a criminal by Clearview's founder.

    Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

    Because nothing says 'please, if you find a problem with our systems tell us' quite like accusing someone of extortion because they told you about a major problem, refused to take what is essentially hush money, and then told the public as well. I can only hope that the next time someone finds a major problem they see how this firm was treated and goes straight to the public with an anonymous release, because if ClearView is going to slag anyone who exposes their mistakes anyway why waste time going to them in the first place, just let them find out right alongside everyone else.

    reply to this | link to this | view in chronology ]

  • icon
    Real News (profile), 18 Apr 2020 @ 11:56am

    A Clear view of ClearView is frightening.

    The reason a clear view of ClearView is frightening — is due to the amount of access to those who are in law enforcement and, as lazy and dumb as say, ClearView. Then consider others — say Jared Kushner types. They are dumb, but believe themselves to be smart. They are only smart enough to hire good counsel. These types always work hard to allow their greed to blossom. These types work hard to first connect, then attempt to bond with the international criminals they’ve chosen to emulate. They may or may not succeed. Still, the public remains, screwed.

    reply to this | link to this | view in chronology ]

  • identicon
    Smartassicus the Roman, 18 Apr 2020 @ 12:47pm

    I'm from the Government...

    reply to this | link to this | view in chronology ]

  • identicon
    Smartassicus the Roman, 18 Apr 2020 @ 12:49pm

    I'm from the Government...

    ... and I'm here to help.

    We'll be sending a couple of NSA folks and a CIA sniper team to handle this. Once we have all the data we don't already have, we'll ensure your freedoms.

    Trust us.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.