Employee Monitoring App Leaks 21 Million Screenshots In Real Time (cybernews.com) 31
An anonymous reader quotes a report from Cybernews: Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies. The app, designed to track productivity by logging activity and snapping regular screenshots of employees' screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame. The leaked data is extremely sensitive, as millions of screenshots from employees' devices could not only expose full-screen captures of emails, internal chats, and confidential business documents, but also contain login pages, credentials, API keys, and other sensitive information that could be exploited to attack businesses worldwide. After the company was contacted, access to the unsecured database was secured. An official comment has yet to be received.
Snooping Turtles All The Way Down Principle (Score:5, Insightful)
Any tool that helps managers or law enforcement snoop will eventually be breached by hackers, who then also snoop.
Re: Snooping Turtles All The Way Down Principle (Score:5, Insightful)
Also... wouldn't simply monitoring their output goals be the right way to do this? It's info a business needs anyway and doesn't require external access from 3rd parties.
Actual metrics or progress are hard to get ... (Score:4, Informative)
Also... wouldn't simply monitoring their output goals be the right way to do this? It's info a business needs anyway and doesn't require external access from 3rd parties.
I expect it's motivated by remote work. Judging progress towards a goal would require a manager who is well qualified to judge the amount of work necessary for a task, to be in frequent communication with an employee to know of any unexpected problems delaying completion, perhaps helping to address those problems, etc. In other words, it would require management to be doing a lot of work keeping informed and up to date and being useful. An app that tells them how many hours a day someone is moving a mouse or typing at a keyboard is so much easier.
Even potentially password too... (Score:2)
Even potentially password too since more and more browsers, web sites and apps have had a brilliant idea and now display a button to make the password visible on the login page.
Re: Even potentially password too... (Score:2)
Not showing passwords won't help you when the snooping app also logs the keys you press.
And yet no remorse for installing it... (Score:5, Insightful)
And yet the execs who ordered the installation of this literal spyware will still keep insisting that it was the right thing to do even after this breach. Heck, even if the breach had compromised their root passwords and gotten their servers taken down for a week, they would still believe that spying on their employees was the right thing to do.
Why? Because the sorts of bosses who install employee monitoring software are, for the most part, the sorts of people who think that preventing even one person from freeloading off the company is more important than ensuring that people are able to do their jobs and make money for the company. These are the same sorts of people who want to make it harder for living elderly people to collect their Social Security checks, despite incredibly low levels of fraud, because incredibly low is not zero. These are the same sorts of people who want to make it harder to vote, despite incredibly low levels of fraud, because incredibly low is not zero.
This way of thinking is a disease that rots companies and countries from the inside out.
There are exceptions, of course — the sorts of companies that frequently experience state actors trying to exfiltrate data and source code, for example — but I can likely list all of the companies that this exception applies to, and can count them on one hand as long as I use binary.
So I'm rolling my eyes and experiencing a decent amount of schadenfreude right now. Just saying.
Re: (Score:2)
Re: And yet no remorse for installing it... (Score:2)
Re: (Score:2)
Just this morning I was talking to my wife about how people told to manage seem to develop a bias toward cruelty even when they hate it. As. matter of fact I sometimes wonder if suffering through unpleasant decisions is some sort of masochistic thing where they have to feel a certain amount of stress to convince themselves theyve done an adequate job.
Just recently another large org restructured at my company. Tons of good employees, managers, and teams were destroyed. Many of them thought their hard work
Re: And yet no remorse for installing it... (Score:2)
Formally known in business as The Peter Princlple: being promoted to your highest level of incompetence. Being a star employee doesn't necessarily make one a good leader.
True leadership is about getting the most out of your team by keeping things
Re: (Score:2)
Yes, the Stanford Prison Experiment comes to mind in regards to this cruelty you speak.
You know that experiment failed to be replicated when done in an environment where the researcher wasn't pressuring the students [vox.com] to treat each other badly using political motivations, right?
I think it is far more likely that people who crave power and dominance over others naturally seek out positions where they have power, rather than that power turns good people evil. *
* I'm deliberately ignoring self-serving corruption, of course. There's a big difference between spontaneously deciding to use your power
Re: (Score:2)
can count them on one hand as long as I use binary.
I'll have to remember that to steal it for another forum I participate in. :-)
Wait for it (Score:4, Informative)
This will eventually happen to Microsoft Recall ... on a much grander scale.
Re: (Score:2)
This will eventually happen to Microsoft Recall ... on a much grander scale.
Maybe even a Total Recall, but *much* less enjoyable/entertaining -- I'm guessing anyway. :-)
Re: Wait for it (Score:2)
For many people it will be wildly entertaining... I'm starting to fill my popcorn stash expecting the grand show.
Re: Wait for it (Score:1)
Re: Wait for it (Score:2)
Until some data exfiltration malware helpfully does it.
Re: Wait for it (Score:2)
P.S. Few files on my boss' computer can be more embarrassing than eventual screenshots of the porn he watches.
Re: Wait for it (Score:2)
Imagine my shock! (Score:3)
In this instance the only way to see my 'shocked face' is to imagine it, because I'm not even surprised, never mind shocked. In fact, the phrase "I told ya so" comes to mind.
Public AWS bucket? (Score:2)
I am going to have to ask... making an AWS bucket public takes deliberate doing. You have to set a flag on the entire tenant to allow it, and then explicitly set it public. This never happens on accident.
Now, the employee monitoring stuff. Since it has screenshots and such of all data, its data classification winds up having to be at the highest level that a company has. This means encryption, compartmentalization, even physical checks of where the data is stored. All audited. It seems these bossware
Re: (Score:2)
where data is stored E2EE.
What does E2EE hav to do with encryption at rest?
E2EE refers to transport.
Re: (Score:2)
Re: (Score:2)
How old is the product? It used to be much easier to make s3 buckets public.
I'll give them the benefit of the doubt nobody went out of their way to do something stupid, or did the old 'I don't understand this shut of fall the security'
What is rather inexcusable here is the most basic of security reviews, I am talking like a completely automated CIS Benmark check, point click go, should have picked up public permissions on a bucket.
That should have triggered:
Someone to say "WTF that is our image data pool, e
Re: (Score:2)
making an AWS bucket public takes deliberate doing.
I was coming to post just this. Not only do you have to deliberately set it to Public but there are multiple warnings along the way telling you what you're attempting to do makes it available to the great wide world.
Re: (Score:2)
If it requires a willful action to make the bucket public, then it's quite likely a bad actor is implanted in the company and enabling discreet data exfiltration to interested 3rd parties...
Re: (Score:2)
I thought the same - AWS now makes it much, much harder to make a public bucket unless you really, really want to do it. Via the browser there are a load of warnings, and even via the API you have to set some obvious mandatory flags to do it.
I wouldn't be surprised if in fact, the client application writes directly to the S3 bucket. It likely uses some credentials the app gets from the mothership from time to time. Someone didn't think to alter the bucket policy to prevent unauthenticated reads. That's at l
Counting Possibilities (Score:3)
"a workplace surveillance app used by over 200,000 people across countless companies."
If we're talking a neighborhood of 200,000 people, some AI-based counter should be able to determine that, should be 200,000 or fewer.
Re: (Score:2)
It helps extremely insecure people know that their employees are doing something besides browse Craigs List and Bumble all day, at least on the screen that's monitored. This app is for the utterly incompetent manager, of which there is no shortage.