Money transfer app Duc has exposed thousands of driver’s licenses and passports to the open web
A publicly accessible Amazon-hosted storage server has allowed anyone with a web browser to access nearly hundreds of thousands of pieces of personal data without requiring a password. This includes driver’s licenses, passports, and other personal information collected by Duc App, a money transfer service owned by Toronto-based Duales.
The Canadian fintech company said it had resolved the data disclosure on Tuesday after TechCrunch told its CEO that one of the company’s cloud storage servers was making its content public, without a password.
The data was also kept anonymous, meaning that anyone with a link to the data was able to view it in full.
Anurag Sen, a security researcher at CyPeace who discovered the security breach earlier in the week, contacted TechCrunch in an effort to notify the owner of the data. Sen said anyone can view and download the data using their browser just by knowing the easy-to-guess web address of the storage server.
According to Sen, a storage server managed by Amazon has listed more than 360,000 files containing government-issued documents and other information that customers use to verify their identity through a “know your customer” test. These files include user-uploaded selfies to prove their real-world likeness.
TechCrunch was unable to obtain an accurate number of exposed driver’s licenses and passports; however, several folders in the exposed bucket each contained tens of thousands of user-uploaded files, a sample of which included lists of driver’s licenses, passports, and selfies.
Duales promotes its app as a way for users to send money to other users, including overseas in Cuba and elsewhere. The listing of its Android app on the Google Play App Store shows over 100,000 user downloads so far.
The files, which date back to September 2020 and were uploaded daily, also contained spreadsheets listing customer names, home addresses, and dates, times, and details of their activities.
When reached by email, Duales’ CEO, Henry Martinez González, told TechCrunch that the data is stored on a “staging site,” referring to a website primarily used for testing, but did not explain why customers’ personal information is publicly accessible on the same website.
“All safeguards are in place,” said Martinez González. “We are informing the right teams. We have not received a contract.”
After TechCrunch emailed the company, the files on the storage server were made inaccessible, although a list of the server’s contents is still visible.
Martinez González would not say whether the company had technical means, such as logs, to determine who or how many people accessed the data.
The Duc App website briefly went down on Thursday, and displayed a “bad gateway” error.
It is unclear why or for whatever reason Duales left its Amazon-owned storage server publicly open on the Internet. In recent years, Amazon has added security checks to prevent users from unknowingly exposing their data online after a series of high-profile incidents in which several corporate giants, including the US spy agency, published sensitive data on the web due to mishandling.
When reached by TechCrunch as part of our communication with the app’s owner, Canada’s privacy regulator said it wanted more information from the company.
“The Office of the Privacy Commissioner of Canada has contacted the company to obtain additional information and determine next steps,” a spokesperson for the regulator told TechCrunch via email, declining to comment further.
Duc App is the latest in a series of security breaches that include the disclosure of sensitive identity data of third parties. This data exposure comes as apps and websites increasingly require their users to upload their government-issued documents to verify their identity but without taking adequate measures to protect the data they collect.
Last year, the popular app TeaOnHer exposed thousands of its users’ passports and driver’s licenses, which the app required users to upload before allowing them into the app’s gated community. Discord last year also confirmed a data breach involving about 70,000 government-issued documents uploaded by users seeking to verify their age, amid a global effort to regulate online age verification.
