Major breach found in biometrics system used by banks, UK police and Defence firms
In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.
The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
Much of the usernames and passwords were not encrypted, Rotem told the Guardian. “We were able to find plain-text passwords of administrator accounts,” he said.
Link to article