At a glance.
- Data exposure at Le Figaro.
- Indonesian online store breached.
- COVID-19 symptom tracker exposed.
- Xiaomi user tracking.
- Australia's SkillsSelect platform proves leaky.
- Facial recognition when masks are widespread.
- Privacy issues with online proctoring.
Data exposure at Le Figaro.
An unsecured Elasticsearch database belonging to the Parisian national daily Le Figaro has exposed more than eight terabytes of data containing personally identifiable information on at least 42,000 users. An unspecified number of reporters and employees were also affected, BleepingComputer reported. In addition to personal information, the data that were exposed included admin accounts, communication protocols, SQL query errors, and logs of network traffic among Le Figaro servers. The researchers at Safety Detectives who found the exposed data say that the database was not password protected.
Indonesian online retailer breached.
A hacker has leaked data taken from Tokopedia, the largest online retailer in Indonesia, to an online forum, ZDNet writes. The leak, which is believed to represent only a fraction of the data taken in a March 2020 intrusion, included information on fifteen-million users. The dump included full names, emails, phone numbers, hashed passwords, and dates of birth. It also included information related to their Tokopedia accounts: account creation date, last login, email activation codes, password reset codes, location details, messenger IDs, hobbies, education, about-me fields, and so on. The hacker was not able to extract passwords, and posted the partial take in order to ask for help retrieving them. Tokopedia has advised its customers to change their passwords.
Indian cellular network exposes results of COVID-19 symptom checker.
TechCrunch reports that Jio, India's largest cellular service, inadvertently left a database exposed to the Internet. It contained information about users and the results they reported. Jio introduced a COVID-19 symptom tracker in March, shortly after the Indian government issued a general stay-at-home order. Jio says it immediately took the database down upon notification that it was exposed. “The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms," a company representative told TechCrunch.
Xiaomi reported to be tracking browser and phone usage.
Chinese phone, device, and accessory manufacturer Xiaomi is tracking ostensibly private information collected from users of its phones and of its Mi and Mint browsers, Forbes reports. Researcher Gabi Cirlig told Forbes that the data he observed being collected from his own device included all the websites he visited, search engine queries (and these included queries with either Google or DuckDuckGo), and everything viewed in a Xiaomi news feed. The folders he opened, his movements among screens, and the songs played on the Xiaomi music app were also followed. The data were sent to servers in Singapore and Russia, to domains registered in Beijing. The collection occurred even when the researcher moved to a private, incognito mode.
Xiaomi told BleepingComputer that the data it collects are all properly anonymized and obtained in compliance with applicable laws. “Xiaomi was disappointed to read the recent article from Forbes," the company said. "We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.” But BleepingComputer reports that researchers have evidence that this is not the case, and that the report in Forbes is substantially correct.
Australia's Home Affairs Department exposed migrants' data.
The Guardian reports that Australia's Home Affairs Department has exposed data about 774,000 migrants, including names and outcomes of applications. The problem appears to have arisen within the Department's SkillSelect platform, a system designed to invite "skilled workers and business people to express an interest in migrating to Australia."
Facial recognition through the mask.
Companies producing facial recognition software are considering how well their products might adapt to an indefinitely prolonged future in which people routinely wear masks. It's not clear how well facial recognition systems might be adapted to work under such conditions, WIRED reports, but it's not necessarily an insoluble biometric problem.
Online examination proctoring raises privacy issues.
A turn toward online learning during the COVID-19 pandemic has led students to return, more strongly, to concerns they'd already had about online proctoring. The Verge has an account of one such product, Examity, and how it's being received by students. It makes them feel, for one thing, "creeped out." That in itself isn't necessarily damning; lots of things creep people out, and sometimes that's just part of the donnée. But Examity is designed as a tool for ensuring a reasonable degree of academic honesty, and so it asks for a great deal of information. There are conventional requests for full name, email, and phone number, more intrusive requirements to upload a picture of the student's photo ID to Examity’s website, and then collection of a behavioral biometric template from the student's keystrokes. The proctor, a live natural person, finally asks the student to show a webcam view of the entire desktop and its immediate surroundings.
It's difficult to fault any of these as ways of preventing students from cheating. If it's a closed book test, for example, you want to be able to see that there are no notes or references around the student, and you want to ensure that the student's eyes don't wander to any source of assistance that may be outside the webcam's field of view. And of course you'd want reasonable assurance that the students are in fact who they claim to be, and that they're the ones actually producing the work. But there's also a lot of information being asked for.
Two other issues arose. First, some of the questions a student answered were such that Chrome autofilled credit card information. The student deleted it and moved on, but the numbers were briefly displayed on the page. It was Chrome autofill and not Examity that displayed the card number, but such are the difficulties inherent in stitching together an online service. And second, the proctoring was conducted over Zoom, which has had its own struggles with privacy as it's sought to keep pace with exploding demand.
This is the second case of online proctoring to raise privacy concerns during the pandemic emergency. The CyberWire Pro Privacy Briefing earlier discussed another service, Proctorio, in its April 21st issue.