How did just one system parameter compromise the physical security of hundreds of your company's customers?
An interesting event recently took place in cyberspace. A professor at a German university was preparing the paintings he inherited for sale through the famous auction house Christie's. Using his iPhone, he took photos of his work at home, so that later he could upload these photos to the platform's website.
However, when uploading images to the site, the professor had no idea that the full geolocation data from the images would also be uploaded there, revealing the physical location of the work to everyone.
Moreover, the coordinates from the photos were so accurate that they gave out not only the professor's home address, but also made it possible to determine with an accuracy of one meter where exactly valuable works of art were stored in the building.
If this information had fallen into the hands of some burglar, the physical safety of the professor and the safety of his property could have been called into question. What is it worth for a trained gang of several people to break into an ordinary residential building and rob its owner, taking both the above-mentioned paintings and something else of value?
The vulnerability in the Christie's service was discovered by researchers Martin Chirsich and Andre Zilch from the German cybersecurity company Zentrust Partners. Hundreds of other potential Christie's customers were also reportedly affected by this security breach on the platform.
At the end of July, the US Cybersecurity Agency (CISA) already warned the public about this type of vulnerability. According to the agency, such security flaws have already exposed millions of users to data compromise.
Representatives of the Christie's platform, which claims to be committed to the careful handling of personal data, refused to answer questions or confirm the researchers ' conclusions. However, the company still took some steps to solve the problem, although only after attracting major media outlets.
It is unclear whether the Christie's auction house even informed its clients about the security breach. According to the aforementioned German professor, representatives of the company did not exactly contact him, and the professor learned about the fact of publishing the location of his works after the fact from journalists.
Chirsich and Zilch also said that they warned Christie's about this serious vulnerability even before it became publicly known.
Many tech companies pay researchers to uncover such security flaws, but Christie's isn't one of them. The researchers offered the company their free help in fixing the vulnerability, but this offer was also ignored.
According to Chirsich, it would take only a few hours to take temporary measures with the help of specialists, and two days to completely eliminate the vulnerability. However, Christie's declined the offer of assistance, taking much longer to fix the problem. With this step, the company exposed its customers even more.
Researchers believe that the inherent disregard of expert warnings by some companies raises many questions about the priorities of such companies in the field of cybersecurity.
The auction house Christie's should clearly reconsider its attitude to such incidents in order to avoid data leaks and threats to the physical security of its customers in the future.
An interesting event recently took place in cyberspace. A professor at a German university was preparing the paintings he inherited for sale through the famous auction house Christie's. Using his iPhone, he took photos of his work at home, so that later he could upload these photos to the platform's website.
However, when uploading images to the site, the professor had no idea that the full geolocation data from the images would also be uploaded there, revealing the physical location of the work to everyone.
Moreover, the coordinates from the photos were so accurate that they gave out not only the professor's home address, but also made it possible to determine with an accuracy of one meter where exactly valuable works of art were stored in the building.
If this information had fallen into the hands of some burglar, the physical safety of the professor and the safety of his property could have been called into question. What is it worth for a trained gang of several people to break into an ordinary residential building and rob its owner, taking both the above-mentioned paintings and something else of value?
The vulnerability in the Christie's service was discovered by researchers Martin Chirsich and Andre Zilch from the German cybersecurity company Zentrust Partners. Hundreds of other potential Christie's customers were also reportedly affected by this security breach on the platform.
At the end of July, the US Cybersecurity Agency (CISA) already warned the public about this type of vulnerability. According to the agency, such security flaws have already exposed millions of users to data compromise.
Representatives of the Christie's platform, which claims to be committed to the careful handling of personal data, refused to answer questions or confirm the researchers ' conclusions. However, the company still took some steps to solve the problem, although only after attracting major media outlets.
It is unclear whether the Christie's auction house even informed its clients about the security breach. According to the aforementioned German professor, representatives of the company did not exactly contact him, and the professor learned about the fact of publishing the location of his works after the fact from journalists.
Chirsich and Zilch also said that they warned Christie's about this serious vulnerability even before it became publicly known.
Many tech companies pay researchers to uncover such security flaws, but Christie's isn't one of them. The researchers offered the company their free help in fixing the vulnerability, but this offer was also ignored.
According to Chirsich, it would take only a few hours to take temporary measures with the help of specialists, and two days to completely eliminate the vulnerability. However, Christie's declined the offer of assistance, taking much longer to fix the problem. With this step, the company exposed its customers even more.
Researchers believe that the inherent disregard of expert warnings by some companies raises many questions about the priorities of such companies in the field of cybersecurity.
The auction house Christie's should clearly reconsider its attitude to such incidents in order to avoid data leaks and threats to the physical security of its customers in the future.
