I usually don't do this but I found something that would be immoral not to disclose publicly. For those who don't know, #ClearviewAI is a program that allows law enforcement to identify someone through facial recognition. They scraped public images from the...

...internet (instagram, youtube, that shady website that scrapes other websites illegally, your mother's personal myspace page from 2006) and built facial profiles on billions of people and stored them inside their database. They are very strict about screenshots not being...

...taken of their app. Since I figured they were familiar with scraping, I kind-of scraped their website and found their webapp source along with their iOS and Android apps publicly available for download. So, I investigated further and here are some "features" I found:

- Hate being unable to stalk your ex without your boss finding out? Enable "Private Search" to do it without alerting anyone at all or even putting it in your search history.

- "Suspect" doesn't use the internet? Just add a security camera and Clearview will alert you when they pop up. Not surveillance, just "after-the-fact".

- Want your creepy cyber stalker friends to get access? Just send them an invite code or give them a work email that uses your email domain. All they have to do after that is literally click sign up.

- Hate pulling out your phone for two factor authentication? Skip that because we use Basic Auth throughout our entire API.

- Work at Clearview AI? Want to do your job? Just use the admin panel, bundled into the same sites your clients are using.

- Are you an elite hacker who wants to access Clearview AI and hacked a police officer's email? Just use the forgot password button to get super OP access to Clearview AI or sign up yourself because they use email domain whitelists.

- Work at Clearview AI? Have "back office" access? Do whatever you want because you can grant yourself whatever access you want through the panel.

- You thought Ring was bad? Wait until you hear that Clearview AI added the option to add security cameras that do the thing from the movies where everyone's face is scanned and tracked and you get notifications whenever someone appears.

That's what I gathered from Clearview AI's public website that they didn't restrict and public JS bundle. I haven't even looked at the iOS or Android apps (feel free to do that yourself)



App: https://clearview.ai/app/login

JS bundle of their website: https://gist.github.com/brxxn/ff9af51cc988c4f09d0205d0fa465496 …

iOS App (still signed, they can't release new versions): https://cv-search-releases.s3.amazonaws.com/index.html

Android App: … https://cv-search-releases-android.s3.amazonaws.com/index.html



I don't think this information is supposed to be "private," as it was literally too easy to access. I found those links through the JS bundle.

Advice to Clearview AI: Get a bug bounty program and more transparency. You really need it if you're going to scrape websites and scan a bunch of faces while expecting no one to gain access to your publicly accessible JS bundle.

cc @internetofshit

here are the 2 pics of everything important i could find in their iOS app

compile

FAQ Thread:

Update: They closed and auth-gated the S3 bucket for the Android APK. I don't have it downloaded but someone else probably does. Still waiting for them to auth-gate the iOS one (maybe they're leaving it open for archival/historical purposes?).

Another update: I was wrong, they don't use basic auth for authentication. They actually use cookies instead, which do have a few other issues I don't want to mention publicly.

You can follow @brxxnh1.

Share this thread

Bookmark

____

Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.



Enjoy Threader? Sign up.



Since you’re here...



... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.



Download Threader on iOS.