Popular apps left biometric data, IDs of millions of users in danger

Personal data belonging to millions of customers of large businesses have been exposed due to a flaw in Onfido IDV.

Millions of customers of large businesses have been left vulnerable to identity theft, thanks to a security flaw that exposes their personal data to illicit download. Among those affected are clients of Europcar, a vehicle rental service, and FxPro, a trading platform.

Original post at CyberNews: https://cybernews.com/security/popular-apps-left-biometric-data-ids-of-millions-of-users-in-danger/Service providers using Onfido, an identification verification (IDV) service, let a major flaw in their security go unchecked, in the form of an exposed admin token that potentially left app users’ biometric data exposed.

Using this safety gap, threat actors could have downloaded personally identifiable information (PII), including copies of client-submitted IDs, passports, and driver’s licenses.

On December 19, Mikail Tunç, a security researcher, discovered a front-end application programming interface (API) token in several mobile apps used by millions of customers worldwide.https://www.youtube.com/embed/OrlPtKrG1iE

Millions affected

Large businesses appear to be affected, including FxPro Direct App – a trading platform with over five million installs on Google Play alone – and Europcar, a vehicle rental service with over one million installs on Google Play.

Other affected businesses include Chip, a UK-based savings app boasting 400,000 users; Hoolah, a shopping app with over 100,000 installs; Mode, a cryptocurrency app with over 50,000 installs; and Greenwheels, a car-sharing service with over 50,000 installs.

Note that iOS users are affected as much as Android users. However, the App Store doesn’t publicly share download data.

The research uncovered more Onfido clients with admin tokens in the front end. However, these were inactive. According to Tunç, that could mean a couple of things.

“The token being included in the application is indicative that it was active and leaking data at some point in time; some could have been in this state for years,” Tunç said.

“The token being included in the application is indicative that it was active and leaking data at some point in time; some could have been in this state for years.”-Mikail Tunç, a security researcher

The other scenario could be that businesses were alerted to the issue by Onfido.

Apps that had inactive front-end admin tokens include the Couchsurfing Travel App, with over five million installs, and the BigPay and Wirex apps, with over a million installs each.

The research also identified Babylon Health, Wombat, and First Bank Romania with over 100,000 installs each, as well as Coconut and Currencies Direct apps with over 10,000 installs each.

Verification process

Onfido, a London-based company, offers photo-based IDV services for businesses. Financial service providers, car rentals, and many other suppliers that need to confirm customer identities employ similar third-party services.

First, the verification process requires customers to take a photo of their ID document. Next, a client is prompted to take a selfie or upload a video to confirm whether there’s a match with the document’s photo.

“If the user is successful on both the document and facial verification checks, Onfido’s client will likely consider the user to have proven their identity,” the company’s privacy policy states.

What’s the problem?

API tokens serve to hide sensitive data exchanged between the app’s user and the server. Only the service provider knows which user or piece of data a specific token represents. Using tokens renders sensitive information inaccessible to threat actors.

However, Onfido provides its clients with an admin token that allows companies to decode the data. In essence, this admin token therefore serves as a master key to open all doors.

What Tunç has discovered is that – contrary to an explicit recommendation by Onfido – developers left the admin key in the front end of several apps used by millions of clients.

In simple terms, an easily accessible admin token means that anyone can have the ‘master key’ and use this to download app users’ data.

The data includes PII such as name, surname, home, email address, and date of birth. Since the IDV process requires users to take pictures of an ID card, passport, or driver’s license, threat actors who obtained the admin token could easily download copies of these documents.

“You must never use API tokens in the front end of your application, or malicious users could discover them in your source code.”-an advisory by Onfido

According to the investigation, threat actors could have also had access to biometric information – liveness check videos and/or selfies customers take to prove their identities.

Though tokens usually have an expiration date, those uncovered in the investigation did not, making the security flaw much more dangerous.

Leaving admin tokens in the front end suggests that app developers did not read the documentation provided by Onfido.

“You must never use API tokens in the front end of your application, or malicious users could discover them in your source code. You should only use them on your server,” Onfido cautions.

First contact

An investigation by Tunç has confirmed at least seven apps with a front-end admin token. The security flaw potentially affects millions of users, as combined app installations on Android devices alone are close to 18 million.

The first app identified as having an open admin API token belongs to Kroo, a London-based fintech with over 10,000 downloads on the Google Play store.

Tunç informed Kroo about the flaw on December 20. Two days later, the company fixed the issue.

Interestingly, on the same day, a post on Kroo’s Twitter account announced that the company was carrying out “essential maintenance on the systems which affects those applying for a Kroo account”.

Though the IDV process that uses the front-end token affects users during the application process, the tweet did not mention the security flaw.

Divergent reaction

Tunç and CyberNews researchers contacted every affected business mentioned in this article to inform them about the issue.

The Onfido security team replied to us after we sent the responsible disclosure emails to affected companies, but we have yet to receive answers to questions sent to Onfido after exchanging technical details regarding the issue.

In contrast, Europcar were quick to react. A representative of the company told CyberNews that it was working with Onfido to resolve the problem.

Europcar also confirmed that front-end tokens have been revoked, closing the breach.

Representatives of Hoolah informed CyberNews that the issue was resolved within a few hours. Additionally, the company claims that a preliminary investigation did not indicate any attempts to gain unauthorized access to its systems.

Meanwhile, Mode claims to have already mitigated the problem by using software development kit (SDK) tokens. According to their response, the front-end token was left in the Android version of the app by a former team member.

“We’re currently doing a full audit with the logs provided to us from Onfido. From our preliminary findings, we can find no evidence of malicious access by a third party. Our investigations are still ongoing,” Mode told CyberNews.

Other companies affected did not respond to our request for comment at time of publication.

Looming dangers

Having your personal data leaked poses many hazards. Threat actors can abuse PII to conduct phishing and social engineering attacks.

PII coupled with an ID card, passport, or driver’s license copy can lead to identity theft. If malicious actors have access to a video used in the IDV process, they could set up accounts using stolen names.

Determined attackers can combine information found in the leaked files with other data breaches to create detailed profiles of their potential victims. In other cases, threat actors can quickly sell valid identification documents on the dark web.

Next steps

If you suspect that threat actors might have scraped your data, we recommend that you:

Beware of suspicious messages and connection requests from strangers.Consider using a password manager to create strong passwords and store them securely.Enable two-factor authentication (2FA) on all your online accounts.Watch out for potential phishing emails and text messages. Again, don’t click on anything suspicious or respond to anyone you don’t know.If you want to know what should engineers and vendors do give a look at the original post published by CyberNews:


Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, large businesses)

The post Popular apps left biometric data, IDs of millions of users in danger appeared first on Security Affairs.