One of the facial recognition databases that the Chinese government is using to track the Uyghur Muslim population in the Xinjiang region has been left open on the internet for months, a Dutch security researcher told ZDNet.
The database belongs to a Chinese company named SenseNets, which according to its website provides video-based crowd analysis and facial recognition technology.
Yesterday, Victor Gevers, a well-known security researcher that made a name for himself in the past few years by finding leaky MongoDB databases did what he does best and found one of SenseNets' MongoDB databases that had been left exposed online without authentication.
Gevers told ZDNet that the database contained information on 2,565724 users, along with a stream of GPS coordinates that came in at a rapid pace.
The user data wasn't just benign usernames, but highly detailed and highly sensitive information that someone would usually find on an ID card, Gevers said. The researcher saw user profiles with information such as names, ID card numbers, ID card issue date, ID card expiration date, sex, nationality, home addresses, dates of birth, photos, and employer.
For each user, there was also a list of GPS coordinates, locations where that user had been seen.
The database also contained a list of "trackers" and associated GPS coordinates. Based on the company's website, these trackers appear to be the locations of public cameras from where video had been captured and was being analyzed.
Some of the descriptive names associated with the "trackers" contained terms such as "mosque," "hotel," "police station," "internet cafe," "restaurant," and other places where public cameras would normally be found.
The location of some of the SenseNets trackers
Gevers told ZDNet that these coordinates were all located in China's Xinjiang province, the home of China's Uyghur Muslim minority population.
There are numerous reports of human rights abuses carried out by Chinese authorities in Xinjiang, such as forcing the Uyghur Muslim population to install spyware on their phones, or forcing some Uyghur Muslims into "re-education" camps that Uyghur Muslims living abroad have described as forced labor camps.
The database that Gevers found wasn't just some dead servers with old data. The researcher said that during the past 24 hours a stream of nearly 6.7 million GPS coordinates were recorded, meaning the database was actively tracking Uyghur Muslims as they moved around.
Location of one of the GPS coordinates found in the exposed database
Not knowing what he found at the time, Gevers reported the exposed database to its owner, the Chinese company, which secured it earlier today, blocking access from non-Chinese IP addresses using a firewall rule.
The company did not respond to a request for comment before this article's publication.
The most common conclusion is that SenseNets is a government contractor, helping authorities track the Muslim minority, rather than a private company selling its product to another private entity. Otherwise, it would be hard to explain how SenseNets has access to ID card information and camera feeds from police stations and other government buildings.
Gevers said he now regrets helping the company secure its oppression tool.
Article updated on February 17 with a map of the trackers' locations.
Data leaks: The most common sources
More data breach coverage:
- Huddle House restaurant chain announces breach of POS system
- Hackers wipe US servers of email provider VFEmail
- Dunkin' Donuts accounts compromised in 2nd credential stuffing attack in 3 months
- China hacked Norway's Visma cloud software provider
- Online casino group leaks information on 108 million bets, including user details
- Airbus data breach impacts employees in Europe
- Massive breach leaks 773 million email addresses, 21 million passwords CNET
- Hackers turn to data theft and resale on the Dark Web for higher payouts TechRepublic