blindthoughts
breaking · By

UK Visa Portal Actively Leaking Passport Photos and Selfies — Still Unfixed

Active Data Breach: UK Visa Applicant Documents Exposed

A third-party website used in the UK visa application process has been leaking applicants' passport scans and facial selfies to unauthenticated users — and as of this writing, the leak remains unpatched.

What Happened

The vulnerability allowed anyone to access sensitive identity documents — full passport bio pages and biometric selfies — belonging to thousands of people who submitted UK visa applications through the portal. The exposure wasn't a theoretical risk: documents were directly accessible. When researchers disclosed the issue to the company responsible, the response was to dispatch attorneys rather than engineers. The portal remains live and the flaw is reportedly still present.

This is a textbook case of a broken object-level authorization (BOLA/IDOR) flaw: document URLs or IDs that don't enforce per-user access controls, meaning any authenticated — or in some reports, even unauthenticated — session can enumerate and retrieve other users' files.

Why It Matters

Passport scans combined with facial images are among the most dangerous identity documents to lose. Unlike a leaked password, you cannot rotate your face or your passport number on short notice. This combination is sufficient for:

The legal-threat response to disclosure is also a red flag that remediation is not imminent. Anyone who submitted a UK visa application through a third-party portal in recent months should assume their documents may be compromised until the company issues a specific all-clear.

For security engineers and architects: this breach is a concrete reminder that document upload flows are high-value targets. Pre-signed S3 URLs with no expiry, sequential object IDs in storage paths, and missing access control middleware on download endpoints are all patterns that produce exactly this outcome.

What to Do

If you submitted a UK visa application recently:

If you run a document-handling service:

For incident response leads: If your organization uses this portal for employee visa sponsorship, you have an obligation to notify affected employees and potentially report under GDPR Article 33 if you're a data controller in the chain.

Share:𝕏inr/HN🦋@
Was this useful?