Event access ID verification app exposes biometrics, PII

A trove of files used by an identity verification, including selfies used for face biometrics, was exposed by a vulnerability in the FacePass app, and then fixed after researchers notified the developer.

FacePass is widely used in Brazil, according to the report, which is why the 1.6 million files contained numerous Brazilian national IDs and taxpayer registry (CFP) numbers. Selfies, full names, phone numbers and the company’s system credentials were also exposed. Cybernews reports its research team found the files in an AWS S3 bucket.

The names and IDs were found together in Excel files, which makes them easier to commit fraud or carry out tailored phishing schemes with, and to sell on the dark web, Cybernews points out.

“This trove of exposed data places users at significant risk of identity theft, financial fraud, and targeted phishing attacks. Cybercriminals could leverage national IDs and selfies to bypass biometric verification systems, impersonate victims, or gain unauthorized access to financial accounts,” Cybernews researchers said.

If the data had been stored in separate locations or the selfies deleted after a reference template was created, the potential damage would have been significantly reduced.

The AWS credentials found could also be used to access company systems and then extract, change or delete user data.

FacePass is mostly used in Brazil for purchasing tickets and attending events, a use case for biometrics which gained major market growth in 2024, setting up even more rollouts this year.

The leak was discovered and the disclosure process initiated on January 30, and the vulnerability was closed on February 19.

Article Topics

access control  |  biometric data  |  biometric ticketing  |  Brazil  |  data privacy  |  data protection  |  FacePass  |  ID verification  |  identity verification