All posts tagged: data exposure

UK Visa Portal spilled thousands of applicants’ passports and selfies online — and hasn’t fixed the leak

UK Visa Portal spilled thousands of applicants’ passports and selfies online — and hasn’t fixed the leak

Published by skeptic

A website called UK Visa Portal is publicly exposing the passports and selfie photos of applicants who signed up and paid the site to obtain a U.K immigration visa, TechCrunch has learned. An anonymous person notified TechCrunch about the security lapse, saying that the website is exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process. The website is not affiliated with the U.K. government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website. TechCrunch confirmed that UK Visa Portal is the source of the data leak and verified the authenticity of the exposed data by contacting affected individuals to ask if their information was accurate. UK Visa Portal does not have a way to report security issues through its website, nor does its website provide names or contact information for the company’s management. TechCrunch sent an email to the address listed on UK Visa Portal’s website to alert the company that …

A hotel check-in system left a million passports and driver’s licenses open for anyone to see

A hotel check-in system left a million passports and driver’s licenses open for anyone to see

Published by skeptic

A hotel check-in system left more than 1 million customer passports, driver’s licenses, and selfie verification photos to the open web after a security lapse. The data is now offline after TechCrunch alerted the company responsible. The hotel check-in system, called Tabiq, is maintained by the Japan-based tech startup Reqrea. According to its website, Tabiq is used in several hotels across Japan and relies on facial recognition and document scanning to check guests in. Independent security researcher Anurag Sen contacted TechCrunch earlier this week after discovering that the system was leaking the sensitive documents of hotel guests from around the world. Sen said this was because the startup set one of its Amazon cloud-hosted storage buckets, which the check-in system uses to store customer data, to be publicly accessible. The data inside could be viewed by anyone using a web browser, without needing a password, by knowing only the bucket name: “tabiq.”  Sen alerted TechCrunch in an effort to help notify the company. Reqrea locked down the storage bucket after TechCrunch reached out to both …

Indian pharmacy chain giant exposed customer data and internal systems

Indian pharmacy chain giant exposed customer data and internal systems

Published by skeptic

A security lapse by one of India’s largest pharmacy chains allowed outsiders to gain full administrative control of its platform, exposing customer order data and sensitive drug-control functions, TechCrunch has exclusively learned. The issue affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a large network of retail outlets across India. Security researcher Eaton Zveare told TechCrunch that he discovered the flaw after identifying insecure “super admin” application programming interfaces on DavaIndia’s website and privately shared details with Indian cybersecurity authorities. The bug is now fixed, and Zveare disclosed his findings. The exposure comes as Zota Healthcare rapidly scales DavaIndia Pharmacy’s retail business. The Gujarat-headquartered company operates more than 2,300 DavaIndia stores across India, including 276 new outlets announced in January, and plans to add another 1,200 to 1,500 over the next two years. Zveare told TechCrunch that the flaw stemmed from insecure admin interfaces, which allowed unauthenticated users to create “super admin” accounts with high privileges. With that level of access, an attacker could view thousands of online orders containing customer information, …