In a familiar refrain, a cloud data bucket was left open, but this time the stakes were high – a misconfigured server exposed the source code, copies of its facial recognition apps as well as private data at controversial startup Clearview AI, which gained unwanted notoriety earlier this year for obtaining billions of photos by scraping the internet for use by law enforcement agencies.
Although the database was password protected SpiderSilk CSO Mossab Hussein discovered that anyone could register to access the system.
“Clearview AI’s cloud data buckets were left vulnerable, and unfortunately, these oversights caused their facial recognition apps and private data to be left open on the internet for anyone to access,” said James Carder, chief security officer and vice president, who noted the exposure is a result of “bad IT practice with lax security controls” that didn’t provide for monitoring and alerting. “Additionally, thousands of videos from a residential building were left open on the server, a violation of privacy and potential danger to those on camera.”
It’s the second breach for Clearview AI in just a couple of months. In February, the facial recognition company informed customers that a hacker stole its entire client list.
“Regardless of your personal feelings about the company, Clearview’s second security lapse in just two months demonstrates how common misconfigurations are when companies lack proper cloud security strategies, and how easily threat actors can exploit these vulnerabilities,” said DivvyCloud CTO Chris DeRamus. “A misconfigured server opened a window for cybercriminals to steal Clearview’s intellectual property, including its source code and the credentials used to access the cloud storage buckets that held various versions of its app.”