Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A public server hosted by Amazon allowed anyone with a web browser to access hundreds of personal data without requiring a password. This includes driver’s licenses, passports, and other personal information collected by Duc App, the money transfer service owned by the Toronto-based Duales.
The Canadian fintech company said it had ended data disclosure on Tuesday after TechCrunch alerted its CEO that one of the company’s cloud storage servers had publicly recorded its content, without passwords.
The data is also encrypted, meaning that anyone with a link to the data can see all of it.
Anurag Sen, security researcher at CyPeace who discovered that the security was breached in the first week, contacted TechCrunch to inform the owner of the data. Sen said anyone can view and download the data using their web browser just by knowing the easy-to-guess address of the storage server.
According to Sen, Amazon’s storage server stored more than 360,000 files containing government-issued documents and other information that customers use to verify their identity through “know your customer”. The files also included selfies taken by users to verify their true likeness.
TechCrunch was unable to determine the number of driver’s licenses and passports; however, several folders in each unpacked container contained thousands of user-uploaded files, examples of which included driver’s licenses, passports, and photographs.
Duales promotes its program as a way to send money to other users, including outside Cuba and elsewhere. His List of Android apps on the Google Play app store shows more than 100,000 downloaders so far.
The files, which dated back to September 2020 and were being uploaded daily, also contained spreadsheets with customer names, home addresses, dates, times, and transaction details.
When reached by email, the CEO of Duales, Henry Martinez González, told TechCrunch that the data was stored on the “production site,” meaning the website used for the test, but did not explain why the customer’s information was publicly accessible in the same database.
“All safeguards are in place,” said Martinez González. “We are notifying the appropriate parties. We have not entered into any agreement from you.”
After TechCrunch emailed the company, the files on the storage server were made inaccessible, although a list of the server’s contents is still visible.
Martinez González would not say whether the company has technical means, such as logs, to know who or how many people have access to data.
Duc App website appeared near the ground On Thursday, I will report the “bad gate” error.
It is unclear why or why Duales left his Amazon-backed server open to the Internet. In recent years, Amazon has added security checks to prevent users from inadvertently revealing their data online after a series of transactions. very high events to several companies giantsincluding the US spy agencypublished information on the Internet due to default.
When approached by TechCrunch as part of our communication with the app’s owner, Canada’s privacy watchdog said it was seeking more information from the company.
“Canada’s Privacy Office has contacted the company for information and to review the action,” a spokesperson for the regulator told TechCrunch via email, declining to comment further.
Duc App is the latest in a series of recent security measures that deal with the exposure of third-party information. The disclosure of the data comes as apps and websites increasingly allow users to view their government-issued documents to verify their identity but do nothing to protect the information they collect.
Last year, the popular program TeaOnHer revealed thousands of their passports and driver’s licenseswhich the app required users to upload before allowing them to join the app. Discord last year also confirmed a data breach involving around 70,000 documents issued by the government it was uploaded by users who wanted to verify their age, as part of a global service implementing age verification rules on the Internet.
