A third-party UK visa application website exposed more than 100,000 passport scans and biometric selfies through a misconfigured cloud storage server — and when security researchers reported the vulnerability, the company behind the site responded with legal threats instead of fixing the problem, according to an investigation reported by Security Affairs.
The site, branded as "UK Visa Portal," charges users fees to assist with UK visa applications. It has no connection to GOV.UK or the UK Home Office. The operation appears to be run by Active Leadgen LLC, a company registered in the United Arab Emirates.
A Highly Sensitive Data Exposure
The compromised data pairs government-issued passport scans with selfie photographs — a combination that security experts consider exceptionally dangerous. Together, these two data elements provide attackers with everything needed to defeat facial-recognition-based identity verification systems deployed by banks, fintech platforms, and government services worldwide.
With both a valid identity document and a corresponding biometric image, fraudsters face significantly fewer obstacles when attempting to impersonate victims across digital platforms.
Hostile Response to Responsible Disclosure
Rather than securing the exposed AWS S3 bucket upon learning of the vulnerability, Active Leadgen LLC reportedly chose to intimidate the researchers who flagged the issue — sending legal threats to those following responsible disclosure practices.
This "shoot the messenger" approach is a well-documented pattern across the cybersecurity industry, one that discourages transparent reporting and prolongs the window during which user data remains at risk. Security researchers who responsibly report flaws increasingly face litigation threats rather than cooperation, a trend that ultimately harms the very organisations seeking to silence them.
A Preventable Misconfiguration
The root cause — a publicly accessible Amazon Web Services S3 bucket — is among the most common and most easily remedied cloud misconfigurations. AWS provides private-by-default access controls and extensive documentation on securing storage buckets. Despite this, exposed S3 instances continue to surface with alarming regularity, typically because organisations either fail to audit their cloud configurations or lack the in-house expertise to manage them properly.
Consumer Risk From Government-Lookalike Sites
The incident also highlights a broader consumer risk. Third-party services that mimic the branding and design of official government portals invest heavily in search engine optimisation, making them appear prominently in search results and often indistinguishable from legitimate government channels to the untrained eye. Applicants seeking UK visas — or any government service — should always verify they are submitting documents through the authentic official portal.
As of publication, it remains unconfirmed whether the exposed S3 bucket has been secured. Neither the UK Information Commissioner's Office (ICO) nor the Home Office has issued a public statement on the matter, and no regulatory investigation has been announced.
For IT professionals and cloud administrators, the case delivers a stark reminder: basic access controls on cloud storage are not optional. When the data in question includes passport scans and biometric identifiers, the consequences of misconfiguration extend far beyond a technical oversight — they put the identities of tens of thousands of people in jeopardy.
據《Security Affairs》報道的一項調查顯示,一個第三方英國簽證申請網站透過一個配置錯誤的雲端儲存伺服器,暴露了超過10萬份護照掃描檔及生物特徵自拍照片。當安全研究人員通報此漏洞時,該網站背後的公司非但沒有修復問題,反而以法律威脅作為回應。
這個名為「UK Visa Portal」的網站,向用戶收取費用以協助辦理英國簽證申請。它與英國政府官方網站 GOV.UK 或英國內政部並無任何關聯。其運營似乎由一家在阿拉伯聯合酋長國註冊的公司 Active Leadgen LLC 負責。
高度敏感的數據暴露
被洩露的數據將政府簽發的護照掃描檔與自拍照片配對——這是一種被安全專家認為極其危險的組合。這兩項數據元素結合在一起,為攻擊者提供了在全球各地銀行、金融科技平台和政府服務中,攻破基於面部識別的身份驗證系統所需的一切要素。
當騙徒同時擁有一份有效的身份證明文件及對應的生物特徵圖像時,他們在嘗試冒充受害者於各數碼平台進行活動時將面臨顯著減少的障礙。
對負責任披露的敵意回應
據報導,Active Leadgen LLC 在獲知漏洞後,並未對暴露的 AWS S3 儲存桶進行安全加固,反而選擇恐嚇指出問題的研究人員——向遵循負責任披露慣例的人士發出法律威脅。
這種「射殺信使」的做法是網絡安全業界一種有充分記錄的模式,它阻礙了透明的報告,並延長了用戶數據面臨風險的時間窗口。負責任報告漏洞的安全研究人員越來越多地面臨訴訟威脅,而非合作,這種趨勢最終損害了那些試圖讓他們噤聲的組織本身。
可預防的配置錯誤
根本原因——一個公開可存取的 Amazon Web Services S3 儲存桶——是最常見且最容易修復的雲端配置錯誤之一。AWS 提供了預設私有的存取控制,並有廣泛的文檔說明如何保護儲存桶。儘管如此,暴露的 S3 實例仍以驚人的頻率持續出現,通常是由於組織未能審計其雲端配置,或缺乏妥善管理它們的內部專業知識。
仿冒政府網站對消費者的風險
此事件亦凸顯了更廣泛的消費者風險。模仿官方政府入口網站品牌和設計的第三方服務,會在搜尋引擎優化方面投入大量資源,使其在搜尋結果中顯眼地出現,對於未經訓練的人來說,往往難以與合法的政府渠道區分開來。申請英國簽證——或任何政府服務——的人士應始終核實自己是透過真正的官方入口網站提交文件。
截至發稿時,尚無法確認暴露的 S3 儲存桶是否已被安全加固。英國資訊專員辦公室(ICO)和內政部均未就此事發表公開聲明,亦未宣布啟動任何監管調查。
對於資訊科技專業人員和雲端管理員而言,此案例提供了一個嚴峻的提醒:雲端儲存的基本存取控制並非可選項。當涉及的數據包含護照掃描檔和生物特徵識別碼時,配置錯誤的後果遠超技術疏忽——它使數以萬計的人的身分面臨風險。