"Chinese facial recognition company left database of people's locations exposed", 13 Feb 2019

A Chinese facial recognition company left its database exposed online, revealing information about millions of people, a security researcher discovered.

SenseNets, a company based in Shenzhen, China, offers facial recognition technology and crowd analysis, which the company boasted in a promotional video could track people across cities and pick them out in large groups. But the company failed to protect that database with a password, Victor Gevers, a Dutch security researcher with the GDI Foundation, discovered…The database contained more than 2.5 million records on people, including their ID card number, their address, birthday, and locations where SenseNets' facial recognition has spotted them.

From the last 24 hours alone, there were more than 6.8 million locations logged, Gevers said. Anyone would be able to look at these records and track a person's movements based on SenseNets' real-time facial recognition. "Knowing when someone is not in the office or at home can be useful for simple burglar crimes, but also social engineering attacks to get into buildings," Gevers said in a message.

He said that GDI Foundation reached out to the company to warn it about the open database, which has been available since July. SenseNets did not respond to a request for comment.

Logged locations include police stations, hotels, tourism spots, parks, internet cafes and mosques, Gevers said. The researcher found that there were 1,039 unique devices tracking people across China…The database was available online for anyone to find, and it allowed for full access -- meaning a malicious actor could add or delete records from the database, Gevers said…