Connect with us

Hi, what are you looking for?


Data Protection

Undisclosed Security Vulnerabilities Exist US Passport/Visa Database: Report

A report has claimed that there are vulnerabilities in the US Consular Consolidated Database (CCD) that contains personal details from everyone who has applied for a US visa over the past twenty years.

A report has claimed that there are vulnerabilities in the US Consular Consolidated Database (CCD) that contains personal details from everyone who has applied for a US visa over the past twenty years.

The CCD information includes names, addresses, birthdates, biometric data (fingerprints and facial images), race, identification numbers (e.g. social security numbers and alien registration numbers) and country of origin. 

It is suggested that these vulnerabilities could allow third parties to access and alter the database details.

If this is true, it suggests that hackers could potentially legitimize the application for a visa from someone who would normally be rejected. Last year more than 2000 people applied for and were denied visas for having a suspected connection to terrorism.

Sean Sullivan, a security advisor with F-Secure , told SecurityWeek that he suspects the vulnerabilities fall “into the class of vulnerabilities that would allow for a record to be returned on request. And in theory, you could script a large enumerated set of requests.” Hopefully there are systems in place that will block any attempt at large scale scraping.

“I’d be more concerned with manipulation of the data in the database used to validate travelers. Depending on the quality of the fingerprints stored – Apple Pay and the like.”

Officials are playing down the vulnerabilities. There is no suggestion that the visa database has been breached or misused, and a State Department spokesperson told ABC News that the vulnerabilities would be difficult to exploit – requiring “the right level of permissions.”

Advertisement. Scroll to continue reading.

The ‘right level of permissions’ is, however, precisely what is obtained through successful spear-phishing. It has been the start-point for most of the successful major breaches of the last few years.

The database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.

The vulnerabilities, associated with the aging legacy systems that comprise the CCD, were found during routine monitoring and testing, and are reportedly being remediated. However, ABC News also reports doubts that this is completely true. Vulnerabilities have not all been fixed,” and “there is no defined timeline for closing [them] out,” according to a congressional source informed of the matter.

The mere fact that the CCD systems are aging is another problem. “Legacy systems require work arounds and compromises to get them connected to newer systems. Not a great thing for security,” added Sullivan.

According to the ABC report, CCD connects to “other federal agencies like the FBI, Department of Homeland Security and Defense Department.” These connections are likely to require the work arounds that Sullivan worries about.

Furthermore, if the front-end is already vulnerable, as seems likely, then Sullivan warns, “Vulnerable front-end systems can also reveal details about back-end systems, details that could further direct exploitation.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...