A hotel check-in system left a million passports and driver’s licenses open for anyone to see
A hotel check-in system left a million passports and driver’s licenses open for anyone to see
一套酒店入住系统因安全漏洞,导致百万份护照和驾照信息在网上“裸奔”
A hotel check-in system left more than 1 million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunch alerted the company responsible. 由于一次安全疏忽,一套酒店入住系统将超过 100 万份客户的护照、驾照以及自拍验证照片暴露在公共网络上。在 TechCrunch 向相关公司发出警示后,这些数据现已下线。
The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to check guests in. 这套名为 Tabiq 的酒店入住系统由日本科技初创公司 Reqrea 维护。据其官网介绍,Tabiq 被日本多家酒店使用,通过人脸识别和证件扫描来办理入住。
Independent security researcher Anurag Sen contacted TechCrunch earlier this week after discovering that the system was leaking the sensitive documents of hotel guests from around the world. Sen said this was because the startup set one of its Amazon cloud-hosted storage buckets, which the check-in system uses to store customer data, to be publicly accessible. The data inside could be viewed by anyone using a web browser, without needing a password, by knowing only the bucket name: “tabiq.” 独立安全研究员 Anurag Sen 本周早些时候联系了 TechCrunch,称他发现该系统正在泄露全球酒店客人的敏感证件。Sen 表示,这是因为该公司将其用于存储客户数据的亚马逊云存储桶(storage bucket)设置为了公开访问。任何知道存储桶名称“tabiq”的人,无需密码,仅通过网页浏览器即可查看其中的数据。
Sen alerted TechCrunch in an effort to help notify the company. Reqrea locked down the storage bucket after TechCrunch reached out to both the company and Japan’s cybersecurity coordination team, JPCERT. Sen 联系 TechCrunch 是为了协助通知该公司。在 TechCrunch 分别联系了 Reqrea 公司和日本网络安全协调中心(JPCERT)后,Reqrea 锁定了该存储桶。
This latest lapse underscores a recurring problem of companies exposing or spilling their customers’ personal information and sensitive documents — not through sophisticated attacks, but by failing to follow basic cybersecurity practices. Aside from a recent buzz of AI-discovered vulnerabilities and new cybersecurity capabilities, oftentimes sizable security incidents stem from human error, misconfigurations, or failing to adhere to cybersecurity best practices. 这次最新的疏忽凸显了一个反复出现的问题:企业泄露客户个人信息和敏感证件,往往不是因为遭受了复杂的攻击,而是因为未能遵循基本的网络安全规范。除了近期关于 AI 发现漏洞和新网络安全能力的讨论外,许多重大的安全事件往往源于人为错误、配置不当或未能遵守网络安全最佳实践。
In an email acknowledging the exposure, Reqrea director Masataka Hashimoto told TechCrunch: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.” Reqrea said it does not know how the storage bucket became public. By default, Amazon’s cloud storage buckets are private. After a spate of exposed customer storage buckets a few years ago, Amazon added several warning prompts to customers before data can be made public, making this kind of lapse increasingly hard to do accidentally. Reqrea 总监桥本正隆(Masataka Hashimoto)在确认泄露事件的邮件中告诉 TechCrunch:“我们正在外部法律顾问和其他顾问的支持下进行全面审查,以确定泄露的全部范围。”Reqrea 表示,尚不清楚该存储桶是如何变为公开状态的。默认情况下,亚马逊的云存储桶是私有的。几年前发生一系列客户存储桶泄露事件后,亚马逊增加了多项警告提示,使得此类疏忽很难再因意外发生。
Hashimoto told TechCrunch that the company plans to notify affected individuals once it has completed its investigation. It remains unclear whether anyone other than Sen accessed the exposed data before it was secured. Hashimoto said the company is reviewing its logs to determine if there had been any authorized access prior to securing the bucket. 桥本表示,公司计划在调查完成后通知受影响的个人。目前尚不清楚在存储桶被锁定之前,除了 Sen 之外是否还有其他人访问过这些数据。桥本称,公司正在审查日志,以确定在锁定存储桶之前是否存在任何未经授权的访问。
Details of the exposed bucket were also captured by GrayHatWarfare, a searchable database that indexes publicly visible cloud storage. The bucket listing contains files dating back to early 2020 up to as recently as this month, and included identity documents of visitors from countries around the world. 该泄露存储桶的详细信息也被 GrayHatWarfare 抓取到,这是一个索引公共可见云存储的可搜索数据库。该存储桶列表中的文件最早可追溯至 2020 年初,一直持续到本月,其中包含了来自世界各地游客的身份证明文件。
The hotel check-in system lapse follows other incidents involving sensitive government-issued documents. Earlier this year, TechCrunch reported on the exposure of driver’s licenses, passports, and other identity documents uploaded by customers of money transfer service Duc App. A data breach at car rental service Hertz last year saw hackers make off with driver’s license information belonging to at least 100,000 customers. 此次酒店入住系统泄露事件之前,还发生过其他涉及政府签发敏感证件的事件。今年早些时候,TechCrunch 报道了汇款服务 Duc App 的客户上传的驾照、护照和其他身份证明文件泄露事件。去年,租车服务公司 Hertz 发生数据泄露,黑客窃取了至少 10 万名客户的驾照信息。
These incidents come at a time when governments are increasingly rolling out age-verification laws and private businesses are using “know your customer” checks to verify a person’s identity. Both rely on adults uploading sensitive documents, often to a third-party company, for verification, despite criticisms from cybersecurity experts. Data lapses can put people whose information was taken at greater risk of identity fraud or having their likeness misused as age-verification requirements take hold around the world. 这些事件发生的背景是,各国政府正越来越多地出台年龄验证法律,私营企业也在使用“了解你的客户”(KYC)检查来验证个人身份。尽管网络安全专家对此提出批评,但这两者都依赖于成年人上传敏感证件(通常是上传给第三方公司)进行验证。随着全球范围内年龄验证要求的普及,数据泄露可能会使信息被窃取的人面临更高的身份欺诈风险,或导致其肖像被滥用。