Researchers: HTC Stored User Fingerprints as Image File in Unencrypted Folder

Samuel Gibbs, reporting for The Guardian:

Researchers from FireEye have found that data that could be used to clone a user’s fingerprint was stored as an unencrypted “world readable” image file on HTC smartphones.

Four security researchers discovered that the image file, which is clear replica of a user’s fingerprint, could be stolen by rogue apps or hackers.

“While some vendors claimed that they store user’s fingerprints encrypted in a system partition, they put users’ fingerprints in plaintext and in a world readable place by mistake,” the authors wrote. “On the HTC One Max X the fingerprint is saved as /data/dbgraw.bmp with a 0666 permission setting (world readable). Any unprivileged processes or apps can steal user’s fingerprints by reading this file.”

Bugs happen, but this is reckless by design. Clearly fingerprint data should never be written to world-readable storage — but in a properly designed system it should not even be possible to access fingerprint data.

Monday, 10 August 2015