HTC failed to lock down fingerprints captured by one of its phones, leaving prints exposed to any app that knew to go looking for them, according to a report from security firm FireEye Labs. The firm found that the HTC One Max, a nearly two-year-old phone with a fingerprint reader, kept the fingerprints that it scanned in an unencrypted, world-readable file; what that translates to is a file that any app on the device can read or access to get a look at stored fingerprints — something that could be a real issue if a malicious app was aware of the flaw. HTC fixed the vulnerability after being alerted of it, FireEye says

The One Max had been storing fingerprint data in a specialized bitmap file, which FireEye was able to reconstruct into a proper scan of the print (shown right, cropped by FireEye for anonymity). The One Max even updated its fingerprint image every time it received a new scan, so an attacker could have grabbed multiple images.

FireEye's report suggests that other phones with fingerprint readers may have similar problems, though it only names the One Max. The report also notes that certain phones failed to fully secure their fingerprint sensor, potentially allowing apps to step in and read them as a scan was happening. This flaw was present on the One Max, Samsung's Galaxy S5, and others that FireEye leaves unnamed; all phones with the flaw were fixed after their manufacturer was alerted of the issue. HTC and Samsung did not immediately respond to requests for comment.

The One Max was never a particularly popular or successful phone, and it isn't known whether any of these flaws was ever used maliciously. But there's still good reason to be concerned about this vulnerability's existence. As FireEye notes in its report, you can't change your fingerprints like you can change a leaked password: "once leaked," it writes, "they are leaked for the rest of your life."