An Amazon-managed data repository, openly reachable online, permitted anyone utilizing a web browser to retrieve the private details of potentially hundreds of thousands of individuals, without the need for a password. Such confidential information encompassed driving permits, passports, and other personal particulars gathered by the Duc App, a funds remittance service held by Toronto-headquartered Duales.
The Canadian financial technology firm announced it had rectified the information breach by Tuesday, subsequent to TechCrunch informing its chief executive that a particular cloud data server belonging to the company was openly displaying its contents, without any requirement for a password.
Furthermore, the data was kept without encryption, implying that any individual possessing a direct web address to the information could observe its entirety.
Cybersecurity analyst Anurag Sen, who uncovered the security oversight at the start of the week, reached out to TechCrunch, seeking to inform the proprietor of the information. Sen stated that individuals were capable of viewing and downloading the data directly through their web browsers, simply by being aware of the readily inferable web address for the data repository.
In Sen’s assessment, the Amazon-managed storage system cataloged more than 360,000 records comprising official identification papers and various details utilized by clients to confirm their persona through “KYC” verification processes. Among these records were self-portraits submitted by users for demonstrating their physical resemblance.
TechCrunch was unable to determine the exact count of compromised driving permits and travel documents; nevertheless, numerous directories within the vulnerable storage container individually held tens of thousands of files uploaded by users, with a selection showing driving permits, travel documents, and self-portraits.
The firm Duales promotes its application as a method for individuals to transfer funds to one another, encompassing international transfers to Cuba and various other locations. The application’s entry within the Google Play store for Android devices indicates over 100,000 user installations up until now.
These records, originating from September 2020 and continuously updated on a daily basis, further comprised data sheets enumerating client names, residential locations, along with the specific dates, timings, and particulars of their financial dealings.
Upon being contacted via electronic mail, Henry Martinez González, CEO of Duales, informed TechCrunch that the information resided on a “development environment,” which typically designates a web platform mainly for trial purposes, yet failed to clarify the public availability of customers’ private details within that very database.
“Every safeguard is operational,” stated Martinez. “We are informing the relevant stakeholders. We have not engaged you for any services.”
Subsequent to TechCrunch’s electronic mail to the firm, the records on the data repository were rendered unretrievable, however, an inventory of the server’s holdings remains observable.
Martinez declined to state whether the firm possessed the technical capabilities, like audit trails, to ascertain which individuals or how many accessed the information.
The Duc Application’s web portal was temporarily offline this Thursday, presenting a “bad gateway” notification.
The exact manner or rationale remains unclear regarding how Duales left its Amazon-managed data server openly exposed online. Over the past few years, Amazon implemented additional security protocols to safeguard users from unintentionally revealing their information online, following a succession of notable events in which various major corporations, even a U.S. intelligence organization, released confidential information onto the internet owing to erroneous setups.
Upon being contacted by TechCrunch as part of our efforts to reach the application’s proprietor, Canada’s data protection authority stated it was requesting further details from the firm.
“The Canadian Privacy Commissioner’s Office has contacted the firm to acquire additional details and ascertain subsequent actions,” a representative for the supervisory body informed TechCrunch via electronic mail, choosing not to elaborate.
The Duc Application represents the most recent platform among a series of contemporary security oversights concerning the revelation of sensitive personal identification information belonging to others. This information breach occurs while applications and web platforms are progressively demanding users to submit their official identification papers to corroborate their claimed identities, yet without implementing sufficient measures to safeguard the information they accumulate.
In the previous year, the widely used application TeaOnHer revealed thousands of its users’ travel documents and driving permits, which the platform mandated users to submit prior to granting access to its exclusive community. Discord, in the past year, also acknowledged an information compromise impacting approximately 70,000 official identification papers submitted by users attempting to confirm their age, in the context of a global push to implement digital age verification regulations.
{content}
Source: {feed_title}