- Duc app exposed 360,000 unencrypted client files
- The data included IDs, addresses and transaction details.
- Database Secured After Investigator Alerted Company
Duc App, a Canadian money transfer service provider, was leaking sensitive customer data onto the web, allowing anyone with an internet connection and a browser to access it.
Security researcher Anurag Sen of CyPeace recently discovered a publicly accessible Amazon-hosted storage server with sensitive data of hundreds of thousands of people.
This included people’s names, their addresses, but also the dates, times and details of their transactions. They also contained driver’s licenses, passports and other documents collected during the Know Your Customer (KYC) registration process.
Article continues below.
Lock the database
Sen said the server listed more than 360,000 files, all in unencrypted format and available to anyone who knew where to look. After making the discovery, Sen approached TechCrunch to help contact the owners of Duc App, a company called Duales.
The publication managed to contact the owners, who blocked the database shortly after. TechCrunch said it could not confirm the number of driver’s licenses and passports exposed, but said it saw “several folders” with tens of thousands of files uploaded by users, dating back to September 2020, and uploaded daily.
In an email statement shared with the publication, Duales CEO Martínez González said the data was stored on a “test site,” meaning the website was primarily used for testing. However, he did not explain why the database was publicly accessible.
“All protections are in effect,” Martínez González said. “We are notifying the appropriate parties. We have not contracted any services from you.” We don’t know if any malicious third party managed to find the database before Sen, but it’s always possible. Cybercriminals frequently scan the Web for exposed databases like this one.
Cloud misconfigurations are generally the number one cause of data leaks and spills, and are primarily due to the misconception that cloud security is primarily the responsibility of the service provider.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
