1 month ago
23
A publically accessible Amazon-hosted retention server allowed anyone with a web browser to entree perchance hundreds of thousands of people’s idiosyncratic information without needing a password. This included driver’s licenses, passports, and different idiosyncratic accusation collected by the Duc App, a money-transfer work owned by Toronto-based Duales.
The Canadian fintech institution said it resolved the information vulnerability connected Tuesday aft TechCrunch alerted its main enforcement that 1 of the company’s unreality retention servers was publically listing its contents, without a password.
The information was besides stored unencrypted, meaning anyone with a nexus to the information was capable to presumption it successful full.
Security researcher Anurag Sen, who discovered the information lapse earlier successful the week, contacted TechCrunch successful an effort to notify the data’s owner. Sen said that anyone could presumption and download the information utilizing their browser conscionable by knowing the easy-to-guess web code of the retention server.
According to Sen, the Amazon-hosted retention server listed implicit 360,000 files containing government-issued documents and different accusation utilized by customers to verify their individuality done “know your customer” checks. These files included user-uploaded selfies to beryllium their real-world likeness.
TechCrunch could not ascertain the precise fig of exposed driver’s licenses and passports; however, respective folders successful the exposed bucket each contained tens of thousands of user-uploaded files, a sampling of which listed driver’s licenses, passports, and selfies.
Duales touts its app arsenic a mode for users to nonstop wealth to different users, including overseas successful Cuba and elsewhere. Its Android app listing connected the Google Play app store shows much than 100,000 idiosyncratic downloads to date.
The files, which dated backmost to September 2020 and were being uploaded daily, besides contained spreadsheets listing lawsuit names, location addresses, and the dates, times, and details of their transactions.
When reached by email, Duales main enforcement Henry Martinez González told TechCrunch that the information was stored connected a “staging site,” referring to a website utilized chiefly for testing, but did not explicate wherefore customers’ idiosyncratic accusation was publically accessible successful the aforesaid database.
“All protections are successful place,” Martinez said. “We are notifying the appropriate parties. We person not contracted immoderate services from you.”
After TechCrunch emailed the company, the files connected the retention server were made inaccessible, though a database of the server’s contents is inactive visible.
Martinez would not accidental if the institution had the method means, specified arsenic logs, to find who oregon however galore radical accessed the data.
Duc App’s website appeared concisely down connected Thursday, and displayed a “bad gateway” error.
It’s not wide however oregon for what crushed Duales near its Amazon-hosted retention server publically unfastened to the internet. In caller years, Amazon has added information checks to forestall users from inadvertently exposing their information to the net aft a bid of high-profile incidents wherever several corporate giants, including a U.S. spy agency, published delicate information to the web owed to misconfigurations.
When reached by TechCrunch arsenic portion of our outreach to interaction the app’s owner, Canada’s privateness regulator said it was seeking much accusation from the company.
“The Office of the Privacy Commissioner of Canada has reached retired to the institution to get much accusation and find adjacent steps,” a spokesperson for the regulator told TechCrunch by email, declining to remark further.
Duc App is the latest app successful a database of caller information lapses involving the vulnerability of different people’s delicate individuality data. This information vulnerability comes arsenic apps and websites are progressively requiring their users to upload their government-issued documents to verify who they accidental they are but without taking capable steps to unafraid the information that they collect.
Last year, fashionable app TeaOnHer exposed thousands of its users’ passports and driver’s licenses, which the app required users to upload earlier allowing them into the app’s gated community. Discord past twelvemonth besides confirmed a information breach affecting around 70,000 government-issued documents uploaded by users who sought to verify their age, amid a worldwide effort to enact online property checking laws.
English (US) ·