UK Visa Portal spilled thousands of applicants’ passports and selfies online — and hasn’t fixed the leak
UK Visa Portal spilled thousands of applicants’ passports and selfies online — and hasn’t fixed the leak
英国签证门户网站泄露数千名申请人的护照和自拍照,且至今未修复漏洞
A website called UK Visa Portal is publicly exposing the passports and selfie photos of applicants who signed up and paid the site to obtain a U.K immigration visa, TechCrunch has learned. 据 TechCrunch 获悉,一个名为“UK Visa Portal”的网站正在公开泄露申请人的护照和自拍照,这些申请人曾注册并付费给该网站以获取英国移民签证。
An anonymous person notified TechCrunch about the security lapse, saying that the website is exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process. 一位匿名人士向 TechCrunch 通报了这一安全漏洞,称该网站泄露了至少 10 万份文件,这些文件来自在申请过程中将护照和自拍照上传到该网站的用户。
The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website. 该网站与英国政府并无关联,一些用户抱怨称,他们误以为该网站是官方渠道并支付了费用,而没有使用英国政府的官方网站(GOV.UK)。
TechCrunch confirmed that UK Visa Portal is the source of the data leak and verified the authenticity of the exposed data by contacting affected individuals to ask if their information was accurate. TechCrunch 已确认 UK Visa Portal 是此次数据泄露的源头,并通过联系受影响的个人核实其信息是否准确,从而验证了泄露数据的真实性。
UK Visa Portal does not have a way to report security issues through its website, nor does its website provide names or contact information for the company’s management. UK Visa Portal 的网站上没有提供报告安全问题的渠道,也没有提供公司管理层的姓名或联系方式。
TechCrunch sent an email to the address listed on UK Visa Portal’s website to alert the company that it has an ongoing security lapse and to ask who in management can accept specific details to resolve the issue. TechCrunch 向 UK Visa Portal 网站上列出的地址发送了电子邮件,提醒该公司存在持续的安全漏洞,并询问管理层中谁可以接收具体细节以解决该问题。
Given the sensitivity of the exposed data, TechCrunch explained that it could not share specifics with the company’s general customer support inbox because it could not guarantee that the exposed data would not be misused. 鉴于泄露数据的敏感性,TechCrunch 表示无法通过公司的一般客户支持邮箱分享具体细节,因为无法保证这些泄露的数据不会被滥用。
Instead, TechCrunch heard back from the company’s purported attorneys and public relations firm. 随后,TechCrunch 收到了该公司所谓的律师和公关公司的回复。
TechCrunch explained again that given the nature of the exposed files, it could only share details directly with the company’s management, and asked that they put TechCrunch in touch with them. TechCrunch 再次解释称,考虑到泄露文件的性质,只能直接与公司管理层分享细节,并要求他们协助建立联系。
TechCrunch has not heard back from UK Visa Portal’s management. The security lapse has still not been fixed. TechCrunch 至今未收到 UK Visa Portal 管理层的回复。该安全漏洞仍未得到修复。
While the security issue is ongoing, TechCrunch believes it’s in the public interest that people who use the company’s services are aware of the issue. 虽然安全问题仍在持续,但 TechCrunch 认为,让使用该公司服务的用户了解这一情况符合公众利益。
TechCrunch is not publishing precise details in an effort to minimize any further risk to their information. TechCrunch 目前不会发布精确的细节,以尽量减少对用户信息的进一步风险。
It is not necessary to use a third-party service to apply for a U.K. electronic travel authorization, unless you are retaining an immigration attorney, and applicants should apply through the U.K. government’s website. 除非聘请了移民律师,否则申请英国电子旅行授权(ETA)无需使用第三方服务,申请人应通过英国政府官方网站进行申请。