Found storing user fingerprints as raw image files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libfprint |
Fix Released
|
Unknown
|
|||
libfprint (Ubuntu) |
Won't Fix
|
High
|
Unassigned |
Bug Description
Dear all,
Currently, libfprint saves a fingerprint image (FP1 or 2?) to a file on the host without any encryption.
Once fingerprint has been leaked, victims are leaked for the rest of life since it lasts for a life.
It is necessary to prepare for the problem.
Especially, when I use `fp_print_
Though `fprintd` generates fingerprint image with root permission for protecting the file from attackers, it is not of itself sufficient.
FYI, similar issues on Android have been reported and cryptographic operations are introduced to encrypt fingerprint (see [1-2]).
[1] https:/
[2] https:/
Lastly, is it a kind of `CWE-311: Missing Encryption of Sensitive Data`? (see https:/
Many thanks!!
information type: | Public → Public Security |
Changed in libfprint (Ubuntu): | |
status: | New → Triaged |
Changed in libfprint: | |
status: | Unknown → New |
Changed in libfprint: | |
status: | New → Fix Released |
Thank you for your bug report, could you maybe report that upstream? We don't have any active maintainer for that stack in Ubuntu and upstream is better placed to respond to the issues you are raising