** Changed in: libfprint
Status: New => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libfprint in Ubuntu.
https://bugs.launchpad.net/bugs/1818938
Title:
Found storing user fingerprints as raw image files
Status in libfprint:
Fix Released
Status in libfprint package in Ubuntu:
Triaged
Bug description:
Dear all,
Currently, libfprint saves a fingerprint image (FP1 or 2?) to a file
on the host without any encryption.
Once fingerprint has been leaked, victims are leaked for the rest of
life since it lasts for a life.
It is necessary to prepare for the problem.
Especially, when I use `fp_print_data_save()` using libfprint library
for enrolling my fingerprints, the image is saved in user’s home
directory without any protection scheme.
Though `fprintd` generates fingerprint image with root permission for
protecting the file from attackers, it is not of itself sufficient.
FYI, similar issues on Android have been reported and cryptographic
operations are introduced to encrypt fingerprint (see [1-2]).
[1]
https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-Leaking-wp.pdf
[2]
https://www.zdnet.com/article/hackers-can-remotely-steal-fingerprints-from-android-phones/
Lastly, is it a kind of `CWE-311: Missing Encryption of Sensitive Data`? (see
https://cwe.mitre.org/data/definitions/311.html)
Many thanks!!
To manage notifications about this bug go to:
https://bugs.launchpad.net/libfprint/+bug/1818938/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
