Webscam, the HP printer scanning exploit that works a charm

Zscaler, a US cloud security company, has discovered an interesting exploit for stealing images of documents left in HP printers.

Exploit is too strong a word as there is no hacking involved because the printer has no security. The default settings of the OfficeJet and Photosmart printers mean that no password is set and many users leave it that way.

By searching for commonly-used phrases displayed on the web user interface (UI), a list of likely suspects is compiled. Simply by clicking onto the links their UI can be viewed one at a time.

Click on the Webscan link on the UI and then do a prescan to see if anyone has left a document. When one is found it can be scanned and downloads in a pop-up window.

Michael Sutton, vice president for security research at Zscaler, has blogged about his discovery and kindly downloaded a document that he found in his virtual travels.

“In researching this blog, I saw cheques, legal documents, completed ballot forms, phone numbers… and my personal favourite, Jim’s diploma informing the world that he’s now a Certified Mold Inspector – congratulations Jim!” Sutton wrote.

Having got the dirt on the mold inspector, Sutton passed on to find a voting form to choose a Republican candidate. Steve Poizner – now there’s a name you can trust – is the man selected. A quick Google reveals that he was a candidate to contest the governership of California for the Republicans but was beaten by former eBay CEO Meg Whitman.

TechEye, never one to shirk a challenge, put the Sutton claim on trial. After ten minutes fishing we hooked our first catch. A wedding photograph taken in 2004 possibly in Central or South America. No it’s not a family of banditos, it’s our feeble attempt at offering them anonymity.

By the way, whoever you are, your printer needs paper and your black ink is running dry. We could have bought you fresh supplies through your printer interface but random acts of kindness are not a strong suit here.

HP did not get back to us to give their side of the story but the exploit works. So over to you HP.