America’s Secret Terrorist Watchlist Exposed on the Web Without a Password

August 19th, 2021

Via: Volodymyr “Bob” Diachenko:

On July 19, 2021 I discovered a terrorist watchlist containing 1.9 million records online without a password or any other authentication required to access it.

The watchlist came from the Terrorist Screening Center, a multi-agency group administered by the FBI. The TSC maintains the country’s no-fly list, which is a subset of the larger watchlist. A typical record in the list contains a full name, citizenship, gender, date of birth, passport number, no-fly indicator, and more.

I immediately reported it to Department of Homeland Security officials, who acknowledged the incident and thanked me for my work. The DHS did not provide any further official comment, though.

What data was exposed?

The exposed Elasticsearch cluster contained 1.9 million records. I do not know how much of the full TSC Watchlist it stored, but it seems plausible that the entire list was exposed.

Each record in the watchlist contained some or all of the following info:

Full name
TSC watchlist ID
Citizenship
Gender
Date of birth
Passport number
Country of issuance
No-fly indicator

The data also included a couple of categorical fields that I was unable to identify, including “tag,” “nomination type,” and “selectee indicator”.

Notably, the database was found on a Bahrain IP address, not a US one.

Posted in [???], Collapse, Covert Operations, Dictatorship, Police State, Surveillance, Technology | Top Of Page

Leave a Reply

You must be logged in to post a comment.