A publicly accessible storage server hosted by Amazon allowed anyone with an internet browser to access potentially lots of of 1000’s of individuals’s personal data without having a password. This included driver’s licenses, passports and other personal information collected by the Duc app, a money transfer service owned by Toronto-based Duales.
The Canadian fintech company said it resolved the information disclosure on Tuesday after TechCrunch alerted its chief executive that one among the corporate’s cloud storage servers was publicly listing its contents with out a password.
The data was also stored unencrypted in order that anyone with a link to the information could view it in full.
Anurag Sen, security researcher at CyPeace who discovered the vulnerability earlier this week contacted TechCrunch to notify the owner of the information. Sen said anyone could view and download the information using their browser just by knowing the easy-to-guess web address of the storage server.
According to Sen, the storage server hosted by Amazon listed over 360,000 files containing government-issued documents and other information utilized by customers to confirm their identities through “Know Your Customer” checks. These files included selfies uploaded by users to prove their resemblance to the actual world.
TechCrunch was unable to find out the precise variety of driver’s licenses and passports exposed; However, several folders within the exposed bucket each contained tens of 1000’s of files uploaded by users, including a number of driver’s licenses, passports and selfies.
Duales promotes its app as a way for users to send money to other users, including abroad in Cuba and elsewhere. It is List of Android apps within the Google Play App Store shows greater than 100,000 user downloads thus far.
The files, which dated back to September 2020 and were uploaded day by day, also included spreadsheets with customer names, home addresses and the date, time and details of their transactions.
When contacted by email, Duales CEO Henry Martinez González told TechCrunch that the information was stored on a “staging site.” He referred to an internet site used primarily for testing purposes, but didn’t explain why customers’ personal information was publicly available in the identical database.
“All protective measures are in place,” said Martinez González. “We are notifying the appropriate parties. We have not engaged in any services from you.”
After TechCrunch emailed the corporate, access to the files on the storage server was blocked, but an inventory of the server’s contents continues to be visible.
Martinez González wouldn’t say whether the corporate had the technical means, comparable to logs, to find out who or how many individuals accessed the information.
Duc App website seemed briefly depressed on Thursday and displayed the “Bad Gateway” error.
It just isn’t clear how or why Duales made its Amazon-hosted storage server publicly available to the Internet. In recent years, Amazon has added security controls to forestall users from by accident exposing their data to the Internet, following several corporate giants including a US spy agencySensitive data is published on the Internet as a consequence of misconfigurations.
When TechCrunch contacted us as a part of our outreach to the app’s owner, Canada’s privacy regulator said it was awaiting further information from the corporate.
“The Office of the Privacy Commissioner of Canada has reached out to the company to obtain further information and determine next steps,” a spokesperson for the regulator told TechCrunch by email, declining to comment further.
Duc App is the newest app in an inventory of recent security vulnerabilities that exposed other people’s sensitive identity information. This data disclosure comes as apps and web sites increasingly require their users to upload government-issued documents to confirm who they are saying they’re, without taking sufficient measures to guard the information they collect.
Last yr, popular app TeaOnHer exposed 1000’s of its users’ passports and driver’s licenses, which the app required users to upload before they may very well be accepted into the app’s gated community. Discord also confirmed an information breach last yr that affected around 70,000 government-issued documents uploaded by users searching for to confirm their age, as a part of a world effort to introduce online age verification laws.
