UK Visa Portal Actively Leaking Passport Photos and Selfies — Still Unfixed
Active Data Breach: UK Visa Applicant Documents Exposed
A third-party website used in the UK visa application process has been leaking applicants' passport scans and facial selfies to unauthenticated users — and as of this writing, the leak remains unpatched.
What Happened
The vulnerability allowed anyone to access sensitive identity documents — full passport bio pages and biometric selfies — belonging to thousands of people who submitted UK visa applications through the portal. The exposure wasn't a theoretical risk: documents were directly accessible. When researchers disclosed the issue to the company responsible, the response was to dispatch attorneys rather than engineers. The portal remains live and the flaw is reportedly still present.
This is a textbook case of a broken object-level authorization (BOLA/IDOR) flaw: document URLs or IDs that don't enforce per-user access controls, meaning any authenticated — or in some reports, even unauthenticated — session can enumerate and retrieve other users' files.
Why It Matters
Passport scans combined with facial images are among the most dangerous identity documents to lose. Unlike a leaked password, you cannot rotate your face or your passport number on short notice. This combination is sufficient for:
- Identity fraud and synthetic identity creation
- Account takeover at financial institutions using KYC document matching
- Social engineering attacks against targets whose nationality and photo are now known
The legal-threat response to disclosure is also a red flag that remediation is not imminent. Anyone who submitted a UK visa application through a third-party portal in recent months should assume their documents may be compromised until the company issues a specific all-clear.
For security engineers and architects: this breach is a concrete reminder that document upload flows are high-value targets. Pre-signed S3 URLs with no expiry, sequential object IDs in storage paths, and missing access control middleware on download endpoints are all patterns that produce exactly this outcome.
What to Do
If you submitted a UK visa application recently:
- Monitor your credit file and any financial accounts that accept passport-based verification
- Be alert to phishing attempts that reference your nationality or appearance — attackers with your photo can craft convincing pretexts
- Check whether your application went through the official UKVI portal (gov.uk) or a third-party intermediary; the exposure is specific to the third-party provider
If you run a document-handling service:
- Audit every file download endpoint for BOLA: can user A fetch user B's document by changing an ID or URL parameter?
- Ensure pre-signed URLs have short TTLs (minutes, not days) and are scoped to the authenticated user's session
- Add automated tests that assert cross-user document access returns 403, not 200
- Review your disclosure response process — legal threats to researchers delay fixes and guarantee worse press
For incident response leads: If your organization uses this portal for employee visa sponsorship, you have an obligation to notify affected employees and potentially report under GDPR Article 33 if you're a data controller in the chain.
Synthesized by Claude · sanity-checked before publish.