Researchers from FireEye have found that data that could be used to clone a user’s fingerprint was stored as an unencrypted “world readable” image file on HTC smartphones.
Four security researchers discovered that the image file, which is clear replica of a user’s fingerprint, could be stolen by rogue apps or hackers.
“While some vendors claimed that they store user’s fingerprints encrypted in a system partition, they put users’ fingerprints in plaintext and in a world readable place by mistake,” the authors wrote. “On the HTC One Max X the fingerprint is saved as /data/dbgraw.bmp with a 0666 permission setting (world readable). Any unprivileged processes or apps can steal user’s fingerprints by reading this file.”