A serious security flaw in half a dozen popular mobile apps potentially leaked the personal and sensitive data of users online.
Researcher Mikail Tunç discovered in late December 2021 that multiple mobile apps on both Android and iOS have misconfigured identification verification services. More precisely - they did not follow best practices, as recommended by the service provider, Onfido.
Instead of keeping an API token at the back-end, they kept it exposed in the front-end, potentially leaking biometric data. Had someone found the flaw before Tunç, they could have obtained personally identifiable data such as ID cards, passports, or driver’s licenses, emails, full names, or physical addresses, putting users at risk of potential identity theft. Furthermore, an attacker could have obtained selfie videos, something many identification verification services require.
Millions of potential victims
No one had allegedly found the flaw before Tunç, meaning the data remains safe for now - although whether or not that’s actually the case still remains to be seen.
According to CyberNews, which first revealed the news, the apps that were affected include FxPro Direct App, a trading platform with more than five million users, Europcar, a rent-a-car with more than a million users, Chip, savings app with almost half a million users, shopping app Hoolah, cryptocurrency app Mode, and a car-sharing service Greenwheels.
CyberNews asked Onfido whether it monitors if their clients follow a recommendation not to leave the API token in the frontend, with the company saying it provides detailed technical guidance to customers on how to implement the Onfido IDV workflow securely.
"As with other companies in similar domains it’s technically very difficult to tell if a private key is being used improperly, across such a diverse range of workflows, making it hard to enforce," Onfido said, adding that its initial investigations showed there is no evidence of unauthorized access to data.
Those who used one of the apps listed above, and fear they might be targeted by malicious actors, should be extra careful of suspicious messages and connection requests from strangers, should reinforce their passwords, and add two-factor authentication whenever possible.
They should also make sure they keep their devices updated, run a cybersecurity solution, and a firewall, if possible.
- You might also want to check out our list of the best VPNs right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.