Money transfer app Duc has exposed thousands of driver’s licenses and passports on the open web

An Amazon-hosted, publicly accessible storage server allows anyone with a web browser to access the personal data of hundreds of thousands of people without needing a password. This included driver’s licenses, passports and other personal information collected by the Duc app, a money transfer service owned by Toronto-based Duales.

The Canadian fintech company said it resolved a data exposure issue on Tuesday after TechCrunch alerted its CEO that one of the company’s cloud storage servers was publicly listing its contents without a password.

The data was also stored unencrypted, meaning anyone with a link to the data was able to view it in its entirety.

Anurag Sen, the security researcher at CyPeace who discovered the vulnerability earlier in the week, contacted TechCrunch in an attempt to notify the owner of the data. Anyone can view and download data using their browser just by knowing the easy-to-guess web address of the storage server, Sen said.

According to Sen, the Amazon-hosted storage server listed more than 360,000 files containing government-issued documents and other information that customers use to verify their identity through “know your customer” checks. These files included user-uploaded selfies to demonstrate their resemblance to the real world.

TechCrunch was unable to confirm the exact number of driver’s licenses and passports exposed; However, many of the folders in the exposed collection contained tens of thousands of user-uploaded files, a sample of which included driver’s licenses, passports, and personal photos.

Duales is promoting its app as a way for users to send money to other users, including abroad in Cuba and elsewhere. The list of Android apps in the Google Play App Store shows more than 100,000 user downloads so far.

The files, dating back to September 2020 and uploaded daily, also contain spreadsheets listing customers’ names, home addresses, dates, times and details of their transactions.

When contacted by email, Duales CEO Henry Martinez Gonzalez told TechCrunch that the data was stored on a “staging site,” referring to a website used primarily for testing, but did not explain why customers’ personal information would be publicly accessible in the same database.

“All the protections are in place,” Martinez Gonzalez said. “We are notifying interested parties. We have not contracted for any services with you.”

After TechCrunch sent an email to the company, files on the storage server became inaccessible, although a list of the server’s contents is still visible.

Martinez Gonzalez did not clarify whether the company had the technical means, such as logs, to determine who or how many people accessed the data.

The Duc App website appeared briefly down on Thursday, displaying a “Bad Gateway” error.

It’s not clear how or why Duales left the Amazon-hosted storage server open to the public on the Internet. In recent years, Amazon has added security checks to prevent users from inadvertently exposing their online data after a series of high-profile incidents where several giant companies, including a US spy agency, posted sensitive data on the web due to misconfigurations.

When contacted by TechCrunch as part of our outreach to contact the app owner, Canada’s privacy regulator said it was seeking more information from the company.

“The Office of the Privacy Commissioner of Canada has reached out to the company to obtain more information and determine next steps,” a spokesperson for the regulator told TechCrunch via email, declining to comment further.

Duc App is the latest app in the list of recent security vulnerabilities that involve exposing sensitive identity data to other people. This data disclosure comes at a time when apps and websites are increasingly asking their users to upload government-issued documents to verify their identity but without taking adequate steps to secure the data they collect.

Last year, popular app TeaOnHer exposed thousands of its users’ passports and driver’s licenses, which the app required users to upload before allowing them into the app’s gated community. Discord last year also confirmed a data breach affecting about 70,000 government-issued documents uploaded by users who sought to verify their ages, amid a global effort to enact online age verification laws.