A serious security flaw in half a dozen popular mobile apps has potentially leaked users’ personal and sensitive data online.
Researcher Mikail Tunç discovered in late December 2021 that several mobile apps on Android and iOS have misconfigured ID verification services. Specifically – they did not follow best practices, as service provider Onfido recommends.
Instead of keeping an API token in the back-end, they kept it exposed in the front-end which could lead to biometric data leak. If someone had found the flaw before Tunç, they could have obtained personally identifiable data such as identity cards, passports or driving licenses, e-mails, full names or physical addresses, exposing the users at potential risk of identity theft. Additionally, an attacker could have obtained selfie videos, which many identity verification services require.
Millions of potential victims
No one allegedly found the flaw before Tunç, which means the data remains safe for now – although whether or not that is the case remains to be seen.
According to CyberNewswhich broke the news for the first time, affected apps include FxPro Direct App, a trading platform with over five million users, Europcar, a car rental with over a million users, Chip, a savings app with nearly half a million users. million users, shopping app Hoolah, cryptocurrency app Mode, and car-sharing service Greenwheels.
CyberNews asked Onfido if it monitors whether its customers follow a recommendation not to leave the API token in the frontend, with the company saying it provides detailed technical advice to customers on how to implement the flow of Onfido IDV work safely.
“As with other companies in similar fields, it is technically very difficult to tell if a private key is being used inappropriately, across such a wide range of workflows, which makes it difficult to enforce,” said Onfido, adding that its initial investigations have shown that there is no evidence of unauthorized data access.
All of these numbers come from Google’s Play Store. Apple’s App Store doesn’t even disclose download numbers, but it’s safe to say that those numbers could, at the very least, be double that.
Those who have used any of the apps listed above and fear being targeted by malicious actors should be very careful of suspicious messages and login requests from strangers, should strengthen their passwords and add authentication two-factor whenever possible.
They should also make sure to keep their devices up to date, running a cybersecurity solution and a firewall, if possible.
- You can also consult our list of best VPNs at present
