Thousands of fingered crims, informants spaffed in web security COCK-UP

UK privacy watchdog pokes server config gaffe

Securing Web Applications Made Simple and Scalable

Exclusive An IT blunder splashed photos of suspected criminals and details of Brits who reported them over the internet, The Register can reveal.

The Facewatch website, which allows police and businesses to upload and share evidence of alleged petty crimes, was left wide open thanks to a web-server misconfiguration. The schoolboy error allowed anyone to easily access a huge cache of CCTV footage, photos and information about companies that sign up to the service.

El Reg was able to look through almost 5,000 records containing images and films of suspects dating back to March 2011.

We saw shoplifters pilfering from department stores, a man brandishing a stick inside a bookies, and people looking shifty in packed pubs presumably just before a crime took place. Some of the images even had names on them, which would be legally problematic if those pictured turned out to be innocent.

We also saw long lists of shops around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any crook wishing to intimidate a witness or exact revenge on the person who reported them to the police.

Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of betting shops. There were also extensive lists of small businesses.

Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court: publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or could ruin their reputation.

Blighty's privacy watchdog - the Office of the Information Commissioner - told us it was beginning inquiries that could lead to a formal investigation.

A spokesman said: “We have recently been made aware of a possible data breach which appears to involve the Facewatch website.

“We will be making enquiries into the potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

'Secured by design'

The website boasts it was declared "secured by design" by a police-run body that recognises products or business that meet the "Police Preferred Specification" on security. This badge of honour is normally given to secure buildings or products, such as window locks and burglar alarms, but Facewatch was awarded the online equivalent.

But with a gaping security hole in its website, this could make businesses think again about how stringent this standard actually is.

You didn't have to be a light-fingered thief nor an elite hacker to get into the sensitive files: all that was required was changing "http" to "https" in the website's address and all the information was there to be accessed.

Specifically, the Nginx software running the HTTPS site was incorrectly configured to list the contents of file directories on the web server rather than serving the intended web pages. Visiting http://facewatch.co.uk/ redirects to http://facewatch.co.uk/cms/ but this did not happen on the HTTPS site, which instead revealed the index of the server root directory, which could be explored to find website code, databases of users and folders packed with images.

We were told about the security hole by a source who was trying to report a crime. While trying to find the address of a HTTPS-encrypted server to send the images to, he found https://facewatch.co.uk/ gave him full read-only access to Facewatch's file tree.

Our source said: "A novice who runs a church website would know not to allow directory browsing."

We reported the security flaw to Facewatch, which closed the hole immediately.

The organisation's chairman Simon Gordon told us the "accessible code related to a previous version" of its website software. And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crime to contact those who reported a crime on their behalf".

The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety". He continued:

We have undertaken penetration testing to ensure that the information stored in the Facewatch systems is secure and can confirm that all personal data are secure and that our systems are secure. The URL to which you referred us has been closed as this is no longer in use.

Facewatch takes the security of the information which it holds very seriously and works with its clients, including the UK police services, and the data protection regulators to ensure that all data is secure when it is being transmitted to the police or held on behalf of our clients.

The crimes which are reported through the Facewatch system do not relate to crimes against the person or which include violence and those using the system are aware that their business email addresses are made available to a variety of people, both by their own organisations and third parties.

Therefore, any risks in the publication of the email addresses are very unlikely. Our clients are required to post signs confirming that they are using CCTV and that images will be disclosed, many of our clients advertise that they are using the Facewatch system through such signs and by using other means. Therefore, the images of those that the police wish to contact are published with the full knowledge of the individuals concerned.

No names of any crime victims were hosted on the site due to ICO rules that state they should be deleted within 36 hours of recording them.

Some 63,000 people have downloaded Facewatch's smartphone app and its images have been viewed nine million times, we're told. As well as allowing officers and shop bosses to upload files, Facewatch allows Brits to use their mobiles to view CCTV stills and other photos of people wanted for questioning by cops.

Facewatch's Gordon claimed some of the images we found on the server were part of that public mug-shot gallery.

"Some residual images of individuals that the police would like to contact in relation to certain reported crimes were available, these images had been made available to see if members of the public would be able to help with their identification," Gordon said.

The scheme was first tested in London, before being rolled out across the UK. It is operated by a private company called FaceWatch Limited, based in Ipswich. ®

Mobile application security vulnerability report

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story


Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.