A publicly accessible Amazon-hosted storage server allowed anyone with a web browser to access potentially hundreds of thousands of people’s personal data without needing a password. This included driver’s licenses, passports, and other personal information collected by the Duc App, a money-transfer service owned by Toronto-based Duales.
The Canadian fintech company said it resolved the data exposure on Tuesday after TechCrunch alerted its chief executive that one of the company’s cloud storage servers was publicly listing its contents, without a password.
The data was also stored unencrypted, meaning anyone with a link to the data was able to view it in full.
Anurag Sen, a security researcher at CyPeace who discovered the security lapse earlier in the week, contacted TechCrunch in an effort to notify the data’s owner. Sen said that anyone could view and download the data using their browser just by knowing the easy-to-guess web address of the storage server.
According to Sen, the Amazon-hosted storage server listed over 360,000 files containing government-issued documents and other information used by customers to verify their identity through “know your customer” checks. These files included user-uploaded selfies to prove their real-world likeness.
TechCrunch could not ascertain the precise number of exposed driver’s licenses and passports; however, several folders in the exposed bucket each contained tens of thousands of user-uploaded files, a sampling of which listed driver’s licenses, passports, and selfies.
Duales touts its app as a way for users to send money to other users, including overseas in Cuba and elsewhere. Its Android app listing on the Google Play app store shows more than 100,000 user downloads to date.
The files, which dated back to September 2020 and were being uploaded daily, also contained spreadsheets listing customer names, home addresses, and the dates, times, and details of their transactions.
When reached by email, Duales chief executive Henry Martinez González told TechCrunch that the data was stored on a “staging site,” referring to a website used primarily for testing, but did not explain why customers’ personal information was publicly accessible in the same database.
“All protections are in place,” Martinez González said. “We are notifying the appropriate parties. We have not contracted any services from you.”
After TechCrunch emailed the company, the files on the storage server were made inaccessible, though a list of the server’s contents is still visible.
Martinez González would not say if the company had the technical means, such as logs, to determine who or how many people accessed the data.
Duc App’s website appeared briefly down on Thursday, and displayed a “bad gateway” error.
It’s not clear how or for what reason Duales left its Amazon-hosted storage server publicly open to the internet. In recent years, Amazon has added security checks to prevent users from inadvertently exposing their data to the internet after a series of high-profile incidents where several corporate giants, including a U.S. spy agency, published sensitive data to the web due to misconfigurations.
When reached by TechCrunch as part of our outreach to contact the app’s owner, Canada’s privacy regulator said it was seeking more information from the company.
“The Office of the Privacy Commissioner of Canada has reached out to the company to obtain more information and determine next steps,” a spokesperson for the regulator told TechCrunch by email, declining to comment further.
Duc App is the latest app in a list of recent security lapses involving the exposure of other people’s sensitive identity data. This data exposure comes as apps and websites are increasingly requiring their users to upload their government-issued documents to verify who they say they are but without taking enough steps to secure the data that they collect.
Last year, popular app TeaOnHer exposed thousands of its users’ passports and driver’s licenses, which the app required users to upload before allowing them into the app’s gated community. Discord last year also confirmed a data breach affecting around 70,000 government-issued documents uploaded by users who sought to verify their age, amid a worldwide effort to enact online age checking laws.