A publicly accessible storage server hosted by Amazon allowed anyone with a web browser to access the personal data of potentially hundreds of thousands of people without needing a password. This included driver’s licenses, passports and other personal information collected by the Duc app, a money transfer service owned by Toronto-based Duales.
The Canadian fintech company said it resolved the data leak on Tuesday after TechCrunch alerted its CEO that one of the company’s cloud storage servers was publicly displaying its content, without a password.
The data was also stored unencrypted, meaning that anyone with a link to the data could see it in full.
Anurag Sen, security researcher at CyPeace which discovered the security flaw earlier in the week, contacted TechCrunch in an attempt to notify the owner of the data. Sen said anyone could view and download the data using their browser just by knowing the easy-to-guess web address of the storage server.
According to Sen, the storage server hosting Amazon listed more than 360,000 files containing government-issued documents and other information used by customers to verify their identity through “know your customer” checks. These files included selfies that users uploaded to prove their likeness in the real world.
TechCrunch was unable to ascertain the exact number of exposed driver’s licenses and passports. However, several folders in the exposed bin contained tens of thousands of user-uploaded files, a sample of which listed driver’s licenses, passports and selfies.
Duales advertises its app as a way for users to send money to other users, including foreigners in Cuba and elsewhere. Of Android App Listing on the Google Play app store it shows more than 100,000 user downloads till date.
The files, which dated back to September 2020 and were uploaded daily, also contained spreadsheets of customers’ names, home addresses and the dates, times and details of their transactions.
When reached by email, Duales CEO Henry Martinez González told TechCrunch that the data was stored on a “stage site,” referring to a site used primarily for testing, but did not explain why customers’ personal information was publicly accessible in the same database.
“All the protection measures are in place,” Martinez González said. “We are notifying the appropriate parties. We have not outsourced any services from you.”
After TechCrunch emailed the company, the files on the storage server became inaccessible, although a list of the server’s contents is still visible.
Martinez González would not say whether the company had the technical means, such as logs, to determine who or how many people had access to the data.
The Duc App website appeared briefly below on Thursday and showed a “bad port” error.
It is unclear how or why Duales left the storage server hosting Amazon publicly open to the Internet. In recent years, Amazon has added security controls to prevent users from inadvertently exposing their data online following a series of high-profile incidents where several corporate giants such as an American spy agencypublished sensitive data to the web due to misconfigurations.
When TechCrunch reached out to the app’s owner, Canada’s privacy regulator said it was seeking more information from the company.
“The Office of the Privacy Commissioner of Canada has reached out to the company to obtain more information and determine next steps,” a spokesperson for the regulator told TechCrunch via email, declining to comment further.
The Duc app is the latest in a list of recent security vulnerabilities that involve exposing other people’s sensitive identity data. This data exposure comes as apps and websites increasingly require their users to upload government-issued documents to verify who they say they are, but without taking enough steps to secure the data they collect.
Last year, the popular app TeaOnHer exposed thousands of its users’ passports and driver’s licenses, which the app required users to upload before allowing them to enter the app’s closed community. Discord last year also confirmed a data breach that affected about 70,000 government-issued documents uploaded by users trying to verify their age, amid a global push to enact online age verification laws.
