Thousands of fingered crims, informants spaffed in web security COCK-UP

UK privacy watchdog pokes server config gaffe

Exclusive An IT blunder splashed photos of suspected criminals and details of Brits who reported them over the internet, The Register can reveal.

The Facewatch website, which allows police and businesses to upload and share evidence of alleged petty crimes, was left wide open thanks to a web-server misconfiguration. The schoolboy error allowed anyone to easily access a huge cache of CCTV footage, photos and information about companies that sign up to the service.

El Reg was able to look through almost 5,000 records containing images and films of suspects dating back to March 2011.

We saw shoplifters pilfering from department stores, a man brandishing a stick inside a bookies, and people looking shifty in packed pubs presumably just before a crime took place. Some of the images even had names on them, which would be legally problematic if those pictured turned out to be innocent.

We also saw long lists of shops around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any crook wishing to intimidate a witness or exact revenge on the person who reported them to the police.

Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of betting shops. There were also extensive lists of small businesses.

Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court: publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or could ruin their reputation.

Blighty's privacy watchdog - the Office of the Information Commissioner - told us it was beginning inquiries that could lead to a formal investigation.

A spokesman said: “We have recently been made aware of a possible data breach which appears to involve the Facewatch website.

“We will be making enquiries into the potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

'Secured by design'

The website boasts it was declared "secured by design" by a police-run body that recognises products or business that meet the "Police Preferred Specification" on security. This badge of honour is normally given to secure buildings or products, such as window locks and burglar alarms, but Facewatch was awarded the online equivalent.

But with a gaping security hole in its website, this could make businesses think again about how stringent this standard actually is.

You didn't have to be a light-fingered thief nor an elite hacker to get into the sensitive files: all that was required was changing "http" to "https" in the website's address and all the information was there to be accessed.

Specifically, the Nginx software running the HTTPS site was incorrectly configured to list the contents of file directories on the web server rather than serving the intended web pages. Visiting redirects to but this did not happen on the HTTPS site, which instead revealed the index of the server root directory, which could be explored to find website code, databases of users and folders packed with images.

We were told about the security hole by a source who was trying to report a crime. While trying to find the address of a HTTPS-encrypted server to send the images to, he found gave him full read-only access to Facewatch's file tree.

Our source said: "A novice who runs a church website would know not to allow directory browsing."

We reported the security flaw to Facewatch, which closed the hole immediately.

The organisation's chairman Simon Gordon told us the "accessible code related to a previous version" of its website software. And he argued the long lists of email addresses we saw were in the public domain already and could be "accessed by the public in order for people reporting crime to contact those who reported a crime on their behalf".

The chairman admitted that contact details of security staff were left visible but they were people who took "all necessary precautions to protect their personal safety". He continued:

We have undertaken penetration testing to ensure that the information stored in the Facewatch systems is secure and can confirm that all personal data are secure and that our systems are secure. The URL to which you referred us has been closed as this is no longer in use.

Facewatch takes the security of the information which it holds very seriously and works with its clients, including the UK police services, and the data protection regulators to ensure that all data is secure when it is being transmitted to the police or held on behalf of our clients.

The crimes which are reported through the Facewatch system do not relate to crimes against the person or which include violence and those using the system are aware that their business email addresses are made available to a variety of people, both by their own organisations and third parties.

Therefore, any risks in the publication of the email addresses are very unlikely. Our clients are required to post signs confirming that they are using CCTV and that images will be disclosed, many of our clients advertise that they are using the Facewatch system through such signs and by using other means. Therefore, the images of those that the police wish to contact are published with the full knowledge of the individuals concerned.

No names of any crime victims were hosted on the site due to ICO rules that state they should be deleted within 36 hours of recording them.

Some 63,000 people have downloaded Facewatch's smartphone app and its images have been viewed nine million times, we're told. As well as allowing officers and shop bosses to upload files, Facewatch allows Brits to use their mobiles to view CCTV stills and other photos of people wanted for questioning by cops.

Facewatch's Gordon claimed some of the images we found on the server were part of that public mug-shot gallery.

"Some residual images of individuals that the police would like to contact in relation to certain reported crimes were available, these images had been made available to see if members of the public would be able to help with their identification," Gordon said.

The scheme was first tested in London, before being rolled out across the UK. It is operated by a private company called FaceWatch Limited, based in Ipswich. ®

Biting the hand that feeds IT © 1998–2018