In a town in western Germany, a university professor was preparing to sell his inherited paintings through Christie’s, a British auction house. He took pictures of the artworks using his iPhone and uploaded them to Christie’s website for evaluation and potential auctioning. However, this action inadvertently exposed the exact location of the paintings to anyone who viewed them online, as discovered by German cybersecurity researchers Martin Tschirsich and André Zilch.
This incident highlights the widespread vulnerability to cybersecurity threats, not just for big tech companies but for individuals as well. When images are uploaded to Christie’s, they often include precise GPS coordinates that reveal the street address and even the specific location within a building where the photo was taken. According to the researchers, approximately 10% of uploaded images contain these exact GPS coordinates.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a general warning about similar vulnerabilities at the end of July. These vulnerabilities have resulted in the compromise of personal, financial, and health information for millions of users. However, CISA did not explicitly reference any developments at Christie’s in their statement.
Christie’s, while claiming to prioritize the security and protection of personal data, declined to comment on the researchers’ findings. They stated that they continuously assess their security measures and comply with legal obligations. Nevertheless, after being alerted by The Washington Post, Christie’s implemented technical measures to address the vulnerability. It is unclear if they have notified their clients about the security lapse.
The German professor, who does not want to discuss the breach of his personal data, learned about the exposure of his artworks’ location through The Post. He expressed surprise and disappointment at Christie’s lack of communication regarding this matter.
The researchers had initially notified Christie’s about the vulnerability in June but were met with rejection when offering assistance to resolve the issue. The executive from Christie’s dismissed their advice, stating that they did not require any assistance. Tschirsich and Zilch found the response surprising and unexpected.
Unlike other tech companies, Christie’s does not appear to have a bug bounty program or offer incentives for cybersecurity researchers who discover vulnerabilities. Tschirsich and Zilch were not seeking any rewards or employment; they simply wanted Christie’s to address the vulnerability to protect user safety. The researchers have a history of uncovering vulnerabilities and providing free assistance to organizations, such as identifying risks to patient health data in Germany and identifying problems in German election software.
The researchers investigated Christie’s security at the request of an acquaintance and were astounded by how quickly they discovered the vulnerability. They emphasized that the issue is so simple that anyone with a browser could exploit it within minutes.
Tschirsich expressed surprise at Christie’s slow response, stating that temporarily closing the vulnerability would take a few hours, while completely fixing the problem would require only two days.
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
