Duc Money Transfer App Exposed Driver’s Licenses and Passports
▼ Summary
– An unsecured Amazon server exposed hundreds of thousands of personal files from the Duc App, including driver’s licenses, passports, and selfies, without requiring a password.
– The data was stored unencrypted and publicly accessible via an easy-to-guess web address, a lapse discovered by a security researcher.
– The exposed files also contained customer spreadsheets with names, addresses, and transaction details dating back to 2020.
– The company’s CEO claimed the data was on a staging site and stated protections were in place, but the server was secured only after media contact.
– Canada’s privacy regulator is seeking information from the company, marking another incident of sensitive identity document exposure by an app.
A significant data exposure at a Canadian financial technology firm has left hundreds of thousands of customer documents unprotected online. The incident involved the Duc App, a money-transfer service owned by Toronto-based Duales, where a misconfigured cloud server publicly exposed sensitive user files without any password protection or encryption.
The security lapse was discovered earlier this week by researcher Anurag Sen of CyPeace. He found that an Amazon-hosted storage server belonging to the company was openly listing its contents, allowing anyone with a web browser and the server’s address to view and download the data. The exposed files, which numbered over 360,000, included driver’s licenses, passports, and user-uploaded selfies collected for identity verification. Spreadsheets containing customer names, home addresses, and detailed transaction records were also accessible.
TechCrunch alerted Duales chief executive Henry Martinez González to the exposure on Tuesday. The company subsequently secured the server, making the files inaccessible, though a directory listing remained visible. Martinez González described the exposed server as a “staging site” used for testing but did not clarify why live customer data was stored there or made publicly accessible. He stated that “all protections are in place” and that the company was notifying the appropriate parties, but declined to say whether logs existed to determine if anyone else had accessed the data.
The exposed information dated back to September 2020, with new files being uploaded daily. While the exact count of exposed passports and licenses is unclear, sampled folders each contained tens of thousands of such documents. The Duc App, which allows users to send money internationally to locations like Cuba, has been downloaded over 100,000 times on the Google Play Store.
This incident highlights ongoing risks in the fintech sector, where apps increasingly require government-issued documents for “know your customer” checks but sometimes fail to implement robust security for the collected data. In a statement to TechCrunch, the Office of the Privacy Commissioner of Canada confirmed it has reached out to Duales for more information to determine next steps.
The Duc App exposure follows a pattern of similar security failures. Last year, the social app TeaOnHer exposed thousands of user passports and driver’s licenses, while Discord confirmed a breach affecting approximately 70,000 government documents uploaded for age verification. These incidents occur despite cloud providers like Amazon implementing more safeguards to prevent such inadvertent data exposures after high-profile corporate and government leaks. The Duc App’s website experienced brief downtime on Thursday, displaying a “bad gateway” error as the company addressed the fallout.
(Source: TechCrunch)
