|Vendor||ZKTeco Co., Ltd|
|Tested Versions||8.5.4 - 8.5.5 (Build:20221013.1414beta)|
|Vulnerability Type||Improper Access Control|
During a recent penetration test, I stumbled upon an instance of the ZKTeco BioTime web application. This application was linked to a time punch clock taking pictures of employees. The management can then analyse these pictures through the web application or an app.
Through some directory fuzzing, I discovered the world-readable directories
/files/biophoto. These directories contained the aforementioned pictures, which were viewable without authenticating to the web app. Since the filename structure used in the web application was incremental, brute-forcing all images present was trivial.
The vendor failed to respond to any communication, leaving the vulnerability present in a default installation. It is recommended to implement access restrictions to prevent access to this data.
|February 2022||Vulnerability Discovered|
|2022-05-16||Second contact attempt|