by Tim Reilly
xClearview AI Security Lapse – What You Should Know
On Thursday, April 16, TechCrunch and other news outlets reported that facial recognition startup Clearview AI misconfigured a repository that ultimately exposed the company’s internal files, applications and source code for anyone on the internet to find if they knew where to look.
The company has faced its fair share of controversy from the media, as it stores billions of images of individuals scraped from social media profiles for law enforcement to compare their own images against the company’s database. However you view the company’s morals, this event is packed with lessons to be learned by all organizations if you dig into some of the details of the situation.
A Quick Overview from TechCrunch: “Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.
The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.
The repository also exposed Clearview’s Slack tokens, according to Hussein, which, if used, could have allowed password-less access to the company’s private messages and communications.”
Why is this significant? The Devil is in the Details
From an overall cyber hygiene perspective, it does not appear that ClearView AI was negligent by any means. They didn’t misconfigure cloud storage access or make the buckets publicly readable, like we see a lot of companies make headlines for doing.
So what went wrong? Essentially, they compiled storage bucket credentials into their source code, which was accidentally accessible via GitHub or some other service and left them vulnerable if a malicious actor knew where to look.
At the end of the day, a lot of companies publish code pretty frequently. And this specific breach could have just as easily been leaked through intentional publishing, due to the fact that it’s incredibly difficult to review all code and spot things like embedded keys.
Lessons Learned and Prevention Tips
While the average organization obviously doesn’t have the same information stored or infrastructure set up as Clearview AI, this instance highlights the need for organizations to ensure that their code isn’t storing any information that could be weaponized against them.
For example, organizations should be conducting code checks to ensure that sensitive info like storage keys aren’t leaked if (or when) their source code is made public. However, this can be a tedious task without the right processes in place and it can take up a fair amount of bandwidth.
Another option is client-side encryption products that holistically protect against data breaches caused by a wide range of misconfiguration issues, including leaked storage bucket credentials.
The Path Forward
However you choose to safeguard your business against the new and established vectors attackers choose to use most is primarily based on your industry, the security team you have in place and the sensitivity of the assets your company stores.
For companies storing and using any form of sensitive data, software-defined encryption is an easy-to-deploy, non-disruptive way to ensure that any data attackers try to access is deemed useless if ultimately it falls into the wrong hands.
If you have any questions on how software-defined encryption works or boosting your enterprise security posture in general, feel free to reach out to us for a chat. We love hearing from you and are happy to help you out, wherever you are in your security journey!