The digital wallet application Key Ring recently exposed information from its 14 million users.
Key Ring is a mobile application that allows users to create a digital wallet on their devices and use them to store scans and photos of membership and loyalty cards. Many users also store in the digital store copies of documents, including IDs, driver’s licenses, and credit cards.
vpnMentor discovered a misconfigured Amazon S3 bucket that was leaking documents uploaded by the users. Further investigation allowed the experts to discovered other unsecured S3 buckets belonging to the company that were also exposing sensitive data.
“A misconfigured Amazon Web Services (AWS) S3 bucket owned by the company exposed these uploads and revealed their owners’ private data. During our team’s investigation, they also found four additional unsecured S3 buckets belonging to Key Ring, exposing even more sensitive data.” reads the post published by vpnMentor.
“These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud.”
It is not clear how long the information remained exposed online, according to vpnMentor at least since January when they first spotted the unsecured bucket.
Below the timeline of the discovery:
The experts found more than 44 million images uploaded by Key Ring users in one of the AWS S3 buckets they have discovered. The images include scans of government-issued IDs, retail club membership and loyalty cards, NRA membership cards, gift cards, credit cards with all details exposed (including CVV), medical insurance cards, medical marijuana ID cards, and more.
Experts also found CSV files storing membership lists and reports for some of North American retail brands.
“These lists contained the Personally Identifiable Information (PII) data of millions of people.” continues the report.
“Examples of companies affected, and the number of customer entries included:
vpnMentor discovered other four S3 buckets containing private data, such as a snapshot of the company’s database containing sensitive information about its users.
Data contained in the database includes emails, home addresses, device and IP address information, encrypted passwords and the “salt” randomized data used to encrypt them.
“In total, five S3 buckets belonging to Key Ring were exposed, all containing valuable, private information that could have serious security implications for millions of people,” vpnMentor concludes.
“Had malicious hackers discovered these buckets, the impact on Key Ring users (and the company itself) would be enormous. In fact, we can’t say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring.”
(SecurityAffairs – Lokibot malware, Coronavirus)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.