Dahua ICC Information Disclosure Scanner

Dahua ICC is a product primarily used in video surveillance and intelligent building security systems. It is widely used by security agencies, commercial buildings, and organizations requiring advanced surveillance solutions. The product is designed to provide high-quality video capture and processing for enhanced security. Dahua ICC supports a wide range of surveillance features, ensuring a reliable performance in various surveillance scenarios. The system is known for its robust architecture, making it suitable for deployment in both large-scale and small-scale security environments. Dahua's solutions are trusted globally due to their innovative technology and user-friendly interface.

Information Disclosure vulnerabilities occur when sensitive data is unintentionally exposed to unauthorized users. In the context of Dahua ICC, such vulnerabilities can lead to the exposure of personally identifiable information (PII) like names, gender, and birthdates. These vulnerabilities can have severe implications for privacy and data protection. They arise primarily due to inadequately protected endpoints that handle sensitive data. Attackers can exploit these vulnerabilities to gather intelligence or cause reputational damage. Information Disclosure in Dahua ICC needs prompt remediation to prevent unauthorized data access.

The Dahua ICC Information Disclosure vulnerability exists in certain API endpoints. The vulnerable endpoint, `/evo-apigw/evo-face/personInfo/page`, reveals personal information such as name, sex, and birthday when accessed without proper authorization. An attacker can send a GET request to this endpoint and if the response status code is 200, it indicates a successful data retrieval. The presence of sensitive fields like "name", "sex", and "birthday" in the response confirms the existence of the vulnerability. Such exposures are typically due to insufficient access control measures.

If exploited, the Information Disclosure vulnerability in Dahua ICC could lead to privacy breaches. Unauthorized individuals could retrieve sensitive personal information, leading to potential identity theft or fraud. Organizations may face legal consequences for failing to protect customer data in compliance with data protection regulations. The leaked information could be used in social engineering attacks or sold on the dark web. Overall, it poses reputational risks to the organization alongside possible financial damages. Proper measures must be taken to secure exposed endpoints and implement stricter access controls.