With Amazon-hosted storage servers now publicly accessible, anyone with a web browser can now access the personal data of potentially hundreds of thousands of people without the need for a password. This included driver's license, passport, and other personal information collected by Duc App, a money transfer service owned by Toronto-based Duales.
The Canadian fintech company announced on Tuesday that it had resolved a data breach after TechCrunch alerted the company's chief executive that one of its cloud storage servers was exposing content without a password.
The data was stored unencrypted, making it fully visible to anyone with a link to the data.
CyPeace security researcher Anurag Sen, who discovered the security flaw earlier this week, contacted TechCrunch to notify the owner of the data. Sen said anyone who knows the easy-to-guess web address of a storage server can use a browser to view or download the data.
Sen said Amazon-hosted storage servers listed more than 360,000 files containing government-issued documents and other information that customers use to verify their identity through “know-your-customer” checks. These files contained selfies uploaded by users to prove their resemblance to the real world.
TechCrunch could not confirm the exact number of driver's licenses and passports that were leaked. However, several folders in the exposed bucket each contained tens of thousands of files uploaded by users, with samples including driver's licenses, passports, and selfies.
Duales promotes the app as a way for users to send money to other users, including overseas, such as Cuba. The Android app's listing on the Google Play app store shows that more than 100,000 users have downloaded it so far.
The file dates back to September 2020, was uploaded daily, and also included a spreadsheet with customer names, home addresses, and transaction dates, times, and details.
Duales CEO Henry Martinez González told TechCrunch in an email that the data is primarily stored on a “staging site,” referring to websites used for testing, but did not explain why customers' personal information is publicly accessible within the same database.
“We have all the protections in place,” Martínez González said. “We are notifying the appropriate parties. We are not contracting any services from you.”
TechCrunch emailed the company and found that files on the storage server were no longer accessible, but a list of the server's contents was still visible.
Martinez declined to say whether the company had logs or other technical means to determine who accessed the data.
The Duc App website went down temporarily on Thursday, displaying an “invalid gateway” error.
It is unclear how or why Duales left his Amazon-hosted storage servers exposed to the internet. Amazon has added security checks to prevent users from inadvertently exposing their data to the internet, following a series of high-profile incidents in recent years in which several large companies, including U.S. spy agencies, exposed sensitive data to the web due to misconfigurations.
Contacted by TechCrunch as part of an effort to contact the app's owner, Canada's privacy regulator said it is seeking more information from the company.
“The Privacy Commissioner of Canada has contacted the company to obtain further information and determine next steps,” a spokesperson for the regulator told TechCrunch via email, declining further comment.
Duc App is the latest app in the list of recent security breaches related to leaking sensitive identity data of others. This data breach occurs because apps and websites are increasingly requiring users to upload government-issued documents to verify who they are, but are not taking sufficient steps to protect the data they collect.
Last year, the popular app TeaOnHer exposed the passports and driver's licenses of thousands of users, requiring users to upload them before being allowed to join the app's gated community. Last year, Discord also identified a data breach that affected approximately 70,000 government-issued documents uploaded by users seeking age verification during a global effort to enact online age verification laws.