UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us
UK Visa Portal exposed thousands of applicants’ passports and selfies — then called the lawyers on us
英国签证门户网站泄露数千名申请人的护照和自拍照——随后竟找律师对付我们
A website called UK Visa Portal publicly exposed thousands of passports and selfie photos of applicants who paid the site to obtain a U.K. immigration visa, TechCrunch has learned. An anonymous person notified TechCrunch about the security lapse, saying that the website was exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process. The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website. 据 TechCrunch 获悉,一个名为“UK Visa Portal”的网站公开泄露了数千名申请人的护照和自拍照,这些申请人曾向该网站付费以获取英国移民签证。一名匿名人士向 TechCrunch 通报了这一安全漏洞,称该网站泄露了至少 10 万份文件,这些文件来自在申请过程中上传护照和自拍照的用户。该网站与英国政府并无关联,一些用户抱怨称,他们误以为该网站是官方渠道,从而向其支付了费用,而非使用英国政府官方网站 GOV.UK。
The exposed data was secured overnight into Wednesday, hours after we published our initial story about the incident. Given the highly sensitive nature of the exposed data, TechCrunch revealed that there was an ongoing security issue, while withholding specific details to minimize any additional risk to individuals’ private information. TechCrunch has still not heard back from UK Visa Portal’s management. Rather than fixing the issue when we reached out, the company sent its attorneys and public relations firm our way instead. 在我们就此事发布初步报道后的数小时内,即周三凌晨,泄露的数据得到了保护。鉴于泄露数据的高度敏感性,TechCrunch 在披露存在安全问题的同时,隐去了具体细节,以最大限度地减少对个人隐私信息的额外风险。截至目前,TechCrunch 尚未收到 UK Visa Portal 管理层的任何回复。该公司在接到我们的联系后,非但没有修复问题,反而派出了律师和公关公司来应对我们。
The security lapse is the latest example of companies publicly exposing their customers’ sensitive government-issued identity documents in recent weeks, often caused by a misconfiguration rather than an outside cyberattack. The exposure of passports is especially problematic at a time when online identity checks are on the rise around the world, thanks to governments rolling out age verification laws. The company’s lack of response also leaves open questions about whether it will alert affected customers that their passports were publicly exposed, or notify regulators as required under U.S. state and European data breach notification laws. 此次安全漏洞是近几周来企业公开泄露客户敏感政府身份证明文件的最新案例,此类事件通常是由配置错误而非外部网络攻击引起的。在各国政府纷纷出台年龄验证法律、全球在线身份核查日益普及的背景下,护照泄露问题尤为严重。该公司的消极回应也引发了质疑:他们是否会通知受影响的客户其护照已被公开泄露,或者按照美国各州及欧洲数据泄露通知法的要求向监管机构报告。
Exposed passports, selfies, and location data
泄露的护照、自拍照及位置数据
The data spill stemmed from a public Amazon-hosted storage server (also known as a bucket), which UK Visa Portal uses for hosting user-uploaded passports and selfies. While the bucket was not publicly listing its contents, the files within were still accessible and viewable to anyone who knew the web address of each file. The person who notified us about the exposure said a bug on the UK Visa Portal website’s backend allowed them to view the list of files contained in the bucket. 此次数据泄露源于一个托管在亚马逊上的公共存储服务器(也称为存储桶),UK Visa Portal 使用该服务器托管用户上传的护照和自拍照。虽然该存储桶没有公开列出其内容,但任何知道文件网络地址的人仍然可以访问和查看其中的文件。向我们通报此事的知情人士表示,UK Visa Portal 网站后端的一个漏洞允许他们查看存储桶中包含的文件列表。
TechCrunch confirmed that UK Visa Portal (also known as UK Visit and ETA-Pass) was the source of the data leak and verified the authenticity of the exposed data by contacting affected individuals to ask if their information was accurate. Many of the user-uploaded photos also contained the precise real-world location, revealing where the images were taken; in some cases, this location data was accurate enough to expose the image taker’s home address. TechCrunch 确认 UK Visa Portal(也称为 UK Visit 和 ETA-Pass)是此次数据泄露的源头,并通过联系受影响的个人核实其信息是否准确,从而验证了泄露数据的真实性。许多用户上传的照片还包含了精确的现实世界位置,揭示了照片拍摄地点;在某些情况下,这些位置数据精确到足以暴露拍摄者的家庭住址。
UK Visa Portal does not provide a way to report security issues through its website, nor does its website provide names or contact information for the company’s management. TechCrunch sent an email to the email address listed on UK Visa Portal’s website, alerting them that the company had an ongoing security lapse, and asking with whom in management we could share details to resolve the issue. TechCrunch explained that we could not share specifics with the company’s general customer support inbox because we could not guarantee that the exposed data would not be misused. UK Visa Portal 的网站未提供报告安全问题的渠道,也未提供公司管理层的姓名或联系方式。TechCrunch 向其网站上列出的邮箱发送了邮件,提醒该公司存在安全漏洞,并询问应与哪位管理人员沟通以解决问题。TechCrunch 解释称,我们无法向其通用客户支持邮箱提供具体细节,因为我们无法保证泄露的数据不会被滥用。
The customer support person provided TechCrunch with the name and email address of Michael Taylor, who we were told is a manager at UK Visa Portal. The person did not reply to our inquiry. Soon after, attorneys with U.S. law firm BakerHostetler and representatives with public relations firm FTI Consulting contacted TechCrunch seeking information about the issue at UK Visa Portal. When asked by TechCrunch, the attorneys would not provide evidence that they were authorized to speak on behalf of the company, such as by providing us a public record confirming the name and role of the individuals they claim to represent. 客户支持人员向 TechCrunch 提供了 Michael Taylor 的姓名和邮箱,据称他是 UK Visa Portal 的一名经理。此人并未回复我们的询问。不久之后,美国律师事务所 BakerHostetler 的律师和公关公司 FTI Consulting 的代表联系了 TechCrunch,寻求有关 UK Visa Portal 问题的相关信息。当 TechCrunch 询问时,这些律师拒绝提供他们有权代表该公司发言的证据,例如提供确认其所代表人员姓名和职位的公开记录。
We noted again that we could not share information about the security lapse outside of the company’s management. We added that if Taylor, or another manager, is willing to accept information about the security lapse, they can reach out — or the attorneys can copy them on the email thread. We did not hear back. 我们再次强调,我们不能将安全漏洞的相关信息分享给公司管理层以外的人员。我们补充说,如果 Taylor 或其他经理愿意接收有关安全漏洞的信息,他们可以直接联系我们,或者让律师将他们抄送至邮件中。但我们没有收到任何回复。
After our story was published and the bucket secured, TechCrunch presented the attorneys with a series of questions about the security lapse. The questions we asked BakerHostetler partner Ryan Christian included how long the Amazon-hosted bucket was exposed, the reason it was exposed, and if the company had any logs to determine if anyone accessed or downloaded the exposed data. We also asked who at UK Visa Portal is responsible for cybersecurity, if anyone. Christian did not respond. 在我们的报道发布且存储桶得到保护后,TechCrunch 向这些律师提出了一系列关于安全漏洞的问题。我们向 BakerHostetler 合伙人 Ryan Christian 提出的问题包括:该亚马逊托管的存储桶暴露了多久、暴露的原因是什么,以及公司是否有任何日志来确定是否有人访问或下载了这些泄露的数据。我们还询问了 UK Visa Portal 内部是否有负责网络安全的人员。Christian 未作回应。
UK Visa Portal is allegedly run by a company called Active Leadgen LLC, which purports to be a company based in the United Arab Emirates. TechCrunch could not independently corroborate this. It is not necessary to use a third-party service to apply for a U.K. electronic travel authorization, unless you are retaining an immigration attorney, and applicants should apply through the U.K. government’s website. 据称,UK Visa Portal 由一家名为 Active Leadgen LLC 的公司运营,该公司声称总部位于阿拉伯联合酋长国。TechCrunch 无法独立证实这一点。除非聘请了移民律师,否则申请英国电子旅行授权(ETA)无需使用第三方服务,申请人应通过英国政府官方网站进行申请。