A serious security flaw in half a dozen popular mobile apps potentially leaked the personal and sensitive data of millions of users online. Researcher Mikail Tunç discovered in late December 2021 that multiple mobile apps on both Android and iOS have misconfigured identification verification services. More precisely – they did not follow best practices, as recommended by the service provider, Onfido.
Instead of keeping an API token at the back-end, they kept it exposed in the front-end, potentially leaking biometric data. Had someone found the flaw before Tunç, they could have obtained personally identifiable data such as ID cards, passports, or driver’s licenses, emails, full names, or physical addresses, putting users at risk of potential identity theft. Furthermore, an attacker could have obtained selfie videos, something many identification verification services require.
Millions of potential victims
No one had allegedly found the flaw before Tunç, meaning the data remains safe for now – although whether or not that’s actually the case still remains to be seen.
These tokens usually have an expiration date, as an extra contingency measure. However, these particular tokens did not have an expiration date, making the threat that much bigger.
According to CyberNews, which first revealed the news, the apps that were affected include FxPro Direct App, a trading platform with more than five million users, Europcar, a rent-a-car with more than a million users, Chip, savings app with almost half a million users, shopping app Hoolah, cryptocurrency app Mode, and a car-sharing service Greenwheels.
CyberNews asked Onfido whether it monitors if their clients follow a recommendation not to leave the API token in the frontend, with the company saying it provides detailed technical guidance to customers on how to implement the Onfido IDV workflow securely.
“As with other companies in similar domains it’s technically very difficult to tell if a private key is being used improperly, across such a diverse range of workflows, making it hard to enforce,” Onfido said, adding that its initial investigations showed there is no evidence of unauthorized access to data.
All these figures are from Google’s Play Store. Apple’s App Store does not even disclose download numbers, but it’s safe to say that these figures could, in the least, be double.
Those who used one of the apps listed above, and fear they might be targeted by malicious actors, should be extra careful of suspicious messages and connection requests from strangers, should reinforce their passwords, and add two-factor authentication whenever possible.
They should also make sure they keep their devices updated, run a cybersecurity solution, and a firewall, if possible.