A recently uncovered security breach involving the Duc App, a Canadian money-transfer service, has prompted significant concern due to the exposure of sensitive personal data. A publicly accessible Amazon-hosted server made it possible for anyone with a web browser to access potentially hundreds of thousands of individuals’ personal information without needing a password. This includes sensitive documents like driver’s licenses, passports, and user-uploaded selfies.
The issue was brought to light by Anurag Sen, a security researcher who discovered the vulnerability and alerted TechCrunch, resulting in a response from Duc App’s chief executive. The company confirmed they had corrected the oversight on Tuesday after being informed of their cloud storage server’s poor security practices.
The unencrypted data housed on the server included over 360,000 files, comprising various government-issued documents intended for user verification through “know your customer” checks. Although the exact number of exposed passports and driver’s licenses was not determined, the contents of numerous folders suggested they were numerous. The files also contained sensitive spreadsheets that listed customer names, home addresses, and details regarding their transactions, dating as far back as September 2020 and updated daily.
Duales, the company behind the Duc App, has advertised its service as a means for users to transfer money, including internationally to places like Cuba. The app appears to have gained traction, with more than 100,000 downloads on Google Play.
In response to inquiries, Henry Martinez González, the CEO of Duales, described the compromised data as being stored on a “staging site” used primarily for testing purposes. However, he did not provide an adequate explanation for the public accessibility of sensitive customer information on this database. Following TechCrunch’s notification, access to the storage server was restricted, although a directory of its contents remained viewable.
There were questions about whether the company possessed the technical capabilities to identify who had accessed the exposed data. Martinez was evasive regarding this point. Meanwhile, the Duc App’s website briefly experienced a “bad gateway” error, leading to a temporary outage.
The cause of this lapse in security is unclear, especially given that Amazon has implemented security measures to help prevent such data exposures in recent years. In light of this incident, Canada’s privacy regulator has reached out to Duales for more information and to determine subsequent actions.
This alarming incident is just one of many recent security breaches involving sensitive identity data. As more applications compel users to upload their government documents for verification purposes, there is an urgent need for stronger data protection measures to safeguard the personal information of individuals.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
