Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
An Amazon-hosted, publicly accessible storage server allows anyone with a web browser to access the personal data of hundreds of thousands of people without needing a password. This included driver’s licenses, passports and other personal information collected by the Duc app, a money transfer service owned by Toronto-based Duales.
The Canadian fintech company said it resolved a data exposure issue on Tuesday after TechCrunch alerted its CEO that one of the company’s cloud storage servers was publicly listing its contents without a password.
The data was also stored unencrypted, meaning anyone with a link to the data was able to view it in full.
Anurag Sen, security researcher at Sybase who discovered the vulnerability earlier in the week, contacted TechCrunch in an attempt to notify the data owner. Anyone can view and download data using their browser just by knowing the easy-to-guess web address of the storage server, Sen said.
According to Sen, the Amazon-hosted storage server listed more than 360,000 files containing government-issued documents and other information that customers use to verify their identity through “know your customer” checks. These files included user-uploaded selfies to demonstrate their resemblance to the real world.
TechCrunch was unable to confirm the exact number of driver’s licenses and passports exposed; However, many of the folders in the exposed collection contained tens of thousands of user-uploaded files, a sample of which included driver’s licenses, passports, and personal photos.
Duales is promoting its app as a way for users to send money to other users, including abroad in Cuba and elsewhere. that it List of Android applications On Google Play, more than 100,000 users have downloaded it so far.
The files, dating back to September 2020 and uploaded daily, also contain spreadsheets listing customers’ names, home addresses, dates, times and details of their transactions.
When contacted by email, Duales CEO Henry Martinez Gonzalez told TechCrunch that the data was stored on a “staging site,” referring to a website used primarily for testing, but did not explain why customers’ personal information would be publicly accessible in the same database.
“All the protections are in place,” Martinez Gonzalez said. “We are notifying interested parties. We have not contracted for any services with you.”
After TechCrunch sent an email to the company, files on the storage server became inaccessible, although a list of the server’s contents is still visible.
Martinez Gonzalez did not clarify whether the company had the technical means, such as logs, to determine who or how many people accessed the data.
Duc website She briefly appeared down On Thursday, it displayed a “bad gateway” error.
It’s not clear how or why Duales left the Amazon-hosted storage server open to the public on the Internet. In recent years, Amazon has added security checks to prevent users from unintentionally exposing their data online after a series of… High level Accidents where numerous Big company Giantsincluded American spy agency,Publishing sensitive data to the web due to misconfigurations.
When contacted by TechCrunch as part of our outreach to contact the app owner, Canada’s privacy regulator said it was seeking more information from the company.
“The Office of the Privacy Commissioner of Canada has reached out to the company to obtain more information and determine next steps,” a spokesperson for the regulator told TechCrunch via email, declining to comment further.
Duc App is the latest app in the list of recent security vulnerabilities that involve exposing sensitive identity data to other people. This data disclosure comes at a time when apps and websites are increasingly asking their users to upload government-issued documents to verify their identity but without taking adequate steps to secure the data they collect.
Last year, the popular app TeaOnHer was unveiled Thousands of passports and driving licenses for its userswhich the app required users to download before allowing them to enter the app’s gated community. Discord last year also confirmed a data breach affecting About 70,000 documents issued by the government They were uploaded by users who sought to verify their age, amid a global effort to Enacting online age verification laws.