Nearly a million passports and photo IDs were left unprotected on the public internet
Nearly a million passports and photo IDs were left unprotected on the public internet
近百万份护照和身份证件在公共互联网上处于“裸奔”状态
This should be a wakeup call for data security. 这应该成为数据安全领域的一记警钟。
Typing a few letters and numbers into my web browser, I find myself gaping at the identity documents of complete strangers. The passport of a young woman from Germany. The passport of a man from Spain with glasses resting on his head. The front and back of another man’s driver’s license, a stereotypically goofy expression on his face. 在浏览器中输入几个字母和数字,我惊讶地看到了完全陌生人的身份证明文件。一位德国年轻女性的护照;一位头顶架着眼镜的西班牙男子的护照;还有另一位男士驾照的正反面,照片上他带着一种典型的滑稽表情。
They were all sitting unprotected at public URLs, with no password or access control of any sort. If I sent you a link, you could have looked at someone’s passport. 这些文件全部毫无保护地存放在公共网址上,没有任何密码或访问控制。如果我把链接发给你,你也能看到别人的护照。
“We have to do something about it as fast as possible, because people will find this and resell it. It will do damage,” Sammy Azdoufal told me in May. “我们必须尽快采取行动,因为一旦有人发现这些数据并将其转卖,将会造成严重的损害,”安全研究员 Sammy Azdoufal 在五月份告诉我。
Azdoufal is the security researcher who used Claude Code to help discover that every DJI Romo robot vacuum cleaner and a million baby monitors and security cameras were embarrassingly easy to hack. This time, he says he discovered over 985,000 photo IDs sitting on the public internet for any half-decent hacker to steal. Azdoufal 是一位安全研究员,他曾利用 Claude Code 发现每一台 DJI Romo 扫地机器人以及一百万台婴儿监视器和安防摄像头都存在极其容易被黑客入侵的漏洞。这一次,他说他发现了超过 98.5 万份照片类身份证件暴露在公共互联网上,任何水平尚可的黑客都能轻易窃取。
If you’ve visited a cannabis club in Spain, Azdoufal says, chances are your photo ID was among them — and possibly your phone number, address, your favorite strains of cannabis, and how much you consumed each month while there. Azdoufal says celebrities are in the database, too, and visitors from all over the world, including 30,000 from the United States. “They have famous people,” says Azdoufal. “People who don’t want everyone to know they smoke weed.” Azdoufal 表示,如果你曾去过西班牙的大麻俱乐部,你的身份证件很可能就在其中——甚至可能还包括你的电话号码、住址、你最喜欢的大麻品种以及你每月在那里的消费量。Azdoufal 说,数据库中还有名人以及来自世界各地的游客,其中包括 3 万名美国人。“里面有名人,”Azdoufal 说,“那些不想让全世界都知道他们吸食大麻的人。”
It’s not the clubs that didn’t protect these identity documents. An Irish company called Cannabis Club Systems (CCS), formally Nefos Solutions, develops and provides the software these clubs use for sales, accounting, and admissions, including a verification system where receptionists upload your IDs and selfies to Nefos’ cloud. 这些身份证明文件未得到保护,责任并不在俱乐部本身。一家名为 Cannabis Club Systems (CCS)(前身为 Nefos Solutions)的爱尔兰公司,负责开发并提供这些俱乐部用于销售、会计和入场管理的软件,其中包括一个验证系统,接待员会将你的身份证件和自拍照上传到 Nefos 的云端。
But when Azdoufal decompiled that PuffPal app, he explains in his report, he discovered that Nefos had no meaningful level of security. He discovered a secret key for the Stripe payments platform sitting inside the app in plain text. He discovered he could pull up any member’s profile just by changing one number. If those profiles included their phone number, home address, passport, and weed preferences, he now had access to them too. 但正如 Azdoufal 在报告中所述,当他反编译 PuffPal 应用程序时,发现 Nefos 几乎没有任何有效的安全防护。他在应用内发现了以明文形式存在的 Stripe 支付平台密钥。他发现只需更改一个数字,就能调出任何会员的个人资料。如果这些资料中包含电话号码、家庭住址、护照和大麻偏好,他也能一并获取。
And then, he discovered that those passports, drivers licenses, and photo IDs were stored at public URLs as simple as this: https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg 随后,他发现那些护照、驾照和身份证件都存储在极其简单的公共网址上,例如:https://ccsnubev2.com/v8/images/_{club}/ID/{user_id}-front.jpg
Those clubs were uploading 5,000 new photo IDs with these insecure URLs every day, Azdoufal tells me. Azdoufal 告诉我,这些俱乐部每天都会通过这些不安全的网址上传 5000 份新的身份证件。
The good news: roughly a month after we reached out to Nefos, the company seems to finally be taking meaningful action. The company says it’s shutting down its entire PuffPal system and vulnerable APIs until they can be fixed — in Azdoufal’s latest tests on June 10th, passport images and personal data seem to be secure. Nefos has also informed local authorities, and says it will take responsibility to make fixes, pay fines, and tell users what happened. 好消息是:在我们联系 Nefos 大约一个月后,该公司似乎终于采取了实质性行动。该公司表示正在关闭整个 PuffPal 系统和存在漏洞的 API,直到问题修复为止——在 Azdoufal 6 月 10 日的最新测试中,护照图像和个人数据似乎已处于安全状态。Nefos 也已通知当地政府,并表示将承担责任进行修复、缴纳罚款,并告知用户所发生的情况。
In a phone interview, Nefos co-founder Andreas Nilsen tells The Verge that he’s in touch with Ireland’s Data Protection Authority (DPC) about the data breach — a fact that DPC spokesperson Evan O’Leary confirmed to us by email. “We have to communicate to everyone that was potentially exposed,” Nilsen tells me, saying he hopes the DPC can show his company how to do that properly. Nilsen claims there’s currently no evidence that any outsider accessed the data other than Azdoufal. 在电话采访中,Nefos 联合创始人 Andreas Nilsen 告诉《The Verge》,他正在就此次数据泄露事件与爱尔兰数据保护委员会 (DPC) 进行沟通——DPC 发言人 Evan O’Leary 已通过电子邮件向我们证实了这一事实。“我们必须通知所有可能受到影响的人,”Nilsen 告诉我,并表示希望 DPC 能指导他的公司如何妥善处理此事。Nilsen 声称,目前没有证据表明除 Azdoufal 之外还有其他外部人员访问过这些数据。
But it took far too long for Nefos to take the threat seriously. It took five days and the threat of a story before the company replied to us, long after Azdoufal reached out. Then, Nefos began by papering over the holes instead of risking business. 但 Nefos 花了太长时间才认真对待这一威胁。在 Azdoufal 联系他们很久之后,我们又等了五天,并在威胁要发布报道的情况下,该公司才回复我们。起初,Nefos 只是试图掩盖漏洞,而不是优先考虑业务风险。
I was prepared to write this story at the beginning of June, after Azdoufal told me Nefos had finally locked down the passport images. But on June 4th, I surprised Azdoufal by showing him that his very own passport was online once again, without any protection. 在 Azdoufal 告诉我 Nefos 终于锁定了护照图像后,我本准备在六月初写这篇报道。但在 6 月 4 日,我向 Azdoufal 展示了他的护照再次在网上处于无保护状态,这让他大吃一惊。
That’s because Nefos had not yet stopped cannabis clubs from using the PuffPal app, and clubs were complaining the locked-down images weren’t showing up the way they used to — so Nefos simply unlocked the images again. While Nilsen claims the images were locked down “70 percent of the time” since Azdoufal and I got in touch, it’s pretty clear that Nefos made a decision to prioritize its customers instead of the threat. 这是因为 Nefos 当时还没有停止让大麻俱乐部使用 PuffPal 应用,而俱乐部抱怨锁定的图像无法像以前那样正常显示,于是 Nefos 就简单地再次解锁了这些图像。虽然 Nilsen 声称自我和 Azdoufal 与他们联系以来,这些图像有“70% 的时间”是处于锁定状态的,但很明显,Nefos 做出了优先考虑客户需求而非安全威胁的决定。