Researchers from vpnMentor
The leak is exacerbated by the fact that most of the database was not encrypted and, in addition to personal data (name, phone, email, home address, position, time of employment, etc.), access log of system users, open passwords (without hashing) and mobile device data, including photographs of faces and fingerprints used for biometric user identification.
In total, more than a million original fingerprint scans associated with specific people were identified in the database. The presence of open fingerprints that cannot be changed makes it possible for attackers to forge a fingerprint according to a template and use it to bypass access control systems or to leave false traces. Separate attention is drawn to the quality of passwords, among which there are a lot of trivial ones, such as "Password" and "abcd1234".
Moreover, since the database also included the credentials of BioStar 2 administrators, in the event of an attack, attackers could gain full access to the system's web interface and use it to add, edit, and delete entries. For example, they could change fingerprint data to gain physical access, change access rights, and remove traces of penetration from the logs.
It is noteworthy that the problem was identified on August 5, but then several days were spent on conveying information to the creators of BioStar 2, who did not want to listen to the researchers. Finally, on August 7, the information was brought to the company, but the problem was fixed only on August 13. The researchers identified the database as part of a project to scan networks and analyze available web services. It is not known how long the database remained in the public domain and whether the attackers knew about its existence.
Source: opennet.ru