During a recent penetration test, I stumbled upon an instance of the ZKTeco BioTime web application. This application was linked to a time punch clock taking pictures of employees. The management can then analyse these pictures through the web application or an app.
Through some directory fuzzing, I …