ADVERTISEMENT

Popular apps left biometric data, IDs of potentially millions of users in danger

Biometric-Face-Idntification
Vilius Petkauskas
Vilius Petkauskas Deputy Editor
Jan 27, 2022 Updated: 28 July 2025 7 min read

Millions affected

"The token being included in the application is indicative that it was active and leaking data at some point in time; some could have been in this state for years."
-Mikail Tunç, a security researcher

Verification process

face-id-verification

What's the problem?

"You must never use API tokens in the front end of your application, or malicious users could discover them in your source code."
-an advisory by Onfido

First contact

ADVERTISEMENT
passport-privacy-id

Divergent reaction

identity-theft-passport

Looming dangers

Next steps

  • Beware of suspicious messages and connection requests from strangers.
  • Consider using a password manager to create strong passwords and store them securely.
  • Enable two-factor authentication (2FA) on all your online accounts.
  • Watch out for potential phishing emails and text messages. Again, don't click on anything suspicious or respond to anyone you don't know.

What should engineers do?

  • Always read vendor documentation very carefully. Vendors with good documentation will often state which tokens can and cannot be shared publicly.
  • If you're not sure if a token should be public, test it! Do a mini-threat model to explore the worst someone could do with this token.
  • Always remember that anything published on the internet (this includes but is not limited to application stores) can and will be discovered.
  • Don't make the mistake of trying to hide secrets in an obfuscated app. There is a plethora of techniques and frameworks to deobfuscate code.
  • Have secret scanning as part of your build pipelines to ensure you are alerted when secrets are discovered in code.

What should vendors do?

  • Design your systems with security and privacy in mind. Make it difficult for integrators to misuse tokens where they shouldn't.
  • Make it very clear in your integration documentation which tokens should and should not be used on the front end.
  • Prefix your secrets with text such as "private" or "secret" to make integrators think twice before including these in front-end applications.

More from CyberNews:

ADVERTISEMENT