Embattled facial recognition startup Clearview AI is yet again the subject of scrutiny following reports that a security officer from an outside firm gained access to a cloud repository containing thousands of private files including the company’s source code.
Chief security officer at SpiderSilk, a Dubai-based cybersecurity firm, Mossab Hussein discovered the repository. He said that though it was password-protected, a misconfigured server setting meant anyone registering as a new user was able to log into the system that stored the code.
Clearview uses a database of 3 billion images scraped from the internet, and markets its facial recognition technology as a service to law enforcement agencies. Following a front-page story in The New York Times in January, Clearview has been hit with a number of cease and desist orders from companies such as Google, Facebook, and Twitter, as well as lawsuits from private citizens.
As TechCrunch reports, inside its repository, Hussein discovered Clearview’s source code along with secret keys, and credentials that granted him access to the company’s storage buckets that contained copies of its completed Windows, Mac, iOS and Android apps, and some pre-release developer apps used for testing.
Hussein also found the company’s Slack tokens, which he could have used to access Clearview’s private messages and communications.
This isn’t the first security-related mishap Clearview has faced in recent months. In February, a hacker managed to steal the company’s client list, revealing that despite its assertions that it was primarily used by law-enforcement agencies in North America, in fact it had roughly 2,900 unique public and private institutions in 27 countries around the world.
“We have set up a bug bounty program with HackerOne whereby computer security researchers can be rewarded for finding flaws in Clearview AI’s systems,” said Clearview CEO Hoan Ton-That. “SpiderSilk, a firm that was not a part of our bug bounty program, found a flaw in Clearview AI and reached out to us. This flaw did not expose any personally identifiable information, search history or biometric identifiers.”
Another major discovery made by Hussein was a storage bucket in the cloud repository containing roughly 70 thousand videos taken at face-height in the lobby of a New York apartment building. The videos are from a prototype camera set up by New York City real estate company Rudin Management in a trial program struck up with Clearview to test its Insight Camera, which Ton-That says has since been discontinued.
“As part of prototyping a security camera product we collected some raw video strictly for debugging purposes, with the permission of the building management,” said Ton-That.
April 17, 2020 – by Tony Bitzionis