A private visa assistance website used by travelers seeking permission to enter the United Kingdom left a large collection of customer records accessible online, exposing passport copies, identity verification photographs, and location information linked to applicants.
The website, known as UK Visa Portal, offers paid assistance for visa and travel authorization applications. The platform is not operated by the U.K. government, although reports indicate that some users may have mistaken it for an official government service and paid application-related fees through the site instead of using government channels.
The exposure came to light after an individual discovered a security issue affecting the platform and reported it to journalists. According to information shared by the source, the accessible records included more than 100,000 files uploaded by applicants during the visa application process. These files reportedly contained passport images and selfie photographs that users submitted to verify their identities.
Following inquiries from journalists, the exposed data was secured. However, details regarding how long the information remained accessible have not been publicly disclosed.
According to reporting on the incident, the exposed records were stored in an Amazon-hosted cloud storage repository used by UK Visa Portal. While the storage system did not openly display a list of documents to the public, individual files could still be accessed by anyone who possessed the correct web address. The individual who identified the issue stated that a flaw within the website’s backend functionality made it possible to view references to files stored in the cloud environment.
Journalists investigating the incident reportedly verified the authenticity of the exposed records by contacting individuals whose documents appeared in the dataset. Those contacted confirmed that the information matched records they had submitted through the platform.
Beyond passport scans and identity photographs, some uploaded images reportedly contained embedded geolocation metadata. This information can be automatically recorded by smartphones and digital cameras when a photograph is taken. In certain cases, the metadata was reportedly detailed enough to reveal the location where the image was captured, including locations associated with applicants’ residences.
The exposure of identity documents can create opportunities for fraud and impersonation. Passports, facial images, dates of birth, addresses, and other personal identifiers are frequently used during account verification processes. If obtained by unauthorized parties, such information may be used in attempts to create fraudulent accounts, bypass identity checks, or conduct targeted social engineering operations.
The handling of the incident has also left several questions unanswered. Reports indicate that journalists attempted to notify the company about the security issue but were unable to identify a dedicated vulnerability reporting channel. The website reportedly did not provide public contact information for company executives or security personnel responsible for addressing cybersecurity matters.
After initial contact was made through customer support, a manager was identified as a potential point of contact. However, reports indicate that direct engagement with company management did not occur. Instead, communication later involved representatives from a public relations firm and attorneys from a U.S.-based law firm.
Following publication of the findings, journalists sought additional information regarding the incident, including the length of time the storage repository remained exposed, whether acces
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: