Updated with an official statement from the company on 31 January.
Millions of customers of large businesses have been left vulnerable to identity theft, thanks to a security flaw that exposes their personal data to illicit download. Among those affected are clients of Europcar, a vehicle rental service, and FxPro, a trading platform.
Service providers using Onfido, an identification verification (IDV) service, let a major flaw in their security go unchecked, in the form of an exposed admin token that potentially left app users’ biometric data exposed. Despite an explicit recommendation by Onfido - developers of apps, which use Onfido, left the admin key in the front end of several apps used by millions of clients.
Using this safety gap, threat actors could have downloaded personally identifiable information (PII), including copies of client-submitted IDs, passports, and driver's licenses.
On December 19, Mikail Tunç, a security researcher, discovered a front-end application programming interface (API) token in several mobile apps used by millions of customers worldwide.
Large businesses appear to be affected, including FxPro Direct App - a trading platform with over five million installs on Google Play alone - and Europcar, a vehicle rental service with over one million installs on Google Play.
Other affected businesses include Chip, a UK-based savings app boasting 400,000 users; Hoolah, a shopping app with over 100,000 installs; Mode, a cryptocurrency app with over 50,000 installs; and Greenwheels, a car-sharing service with over 50,000 installs.
Note that iOS users are affected as much as Android users. However, the App Store doesn't publicly share download data.
The research uncovered more Onfido clients with admin tokens in the front end. However, these were inactive. According to Tunç, that could mean a couple of things.
"The token being included in the application is indicative that it was active and leaking data at some point in time; some could have been in this state for years," Tunç said.
"The token being included in the application is indicative that it was active and leaking data at some point in time; some could have been in this state for years."-Mikail Tunç, a security researcher
The other scenario could be that businesses were alerted to the issue by Onfido.
Apps that had inactive front-end admin tokens include the Couchsurfing Travel App, with over five million installs, and the BigPay and Wirex apps, with over a million installs each.
The research also identified Wombat and First Bank Romania with over 100,000 installs each, as well as Coconut and Currencies Direct apps with over 10,000 installs each.
Onfido, a London-based company, offers photo-based IDV services for businesses. Financial service providers, car rentals, and many other suppliers that need to confirm customer identities employ similar third-party services.
First, the verification process requires customers to take a photo of their ID document. Next, a client is prompted to take a selfie or upload a video to confirm whether there's a match with the document's photo.
What's the problem?
API tokens serve to hide sensitive data exchanged between the app's user and the server. Only the service provider knows which user or piece of data a specific token represents. Using tokens renders sensitive information inaccessible to threat actors.
However, Onfido provides its clients with an admin token that allows companies to decode the data. In essence, this admin token therefore serves as a master key to open all doors.
What Tunç has discovered is that - contrary to an explicit recommendation by Onfido - developers left the admin key in the front end of several apps used by millions of clients.
In simple terms, an easily accessible admin token means that anyone can have the 'master key' and use this to download app users’ data.
The data includes PII such as name, surname, home, email address, and date of birth. Since the IDV process requires users to take pictures of an ID card, passport, or driver's license, threat actors who obtained the admin token could easily download copies of these documents.
"You must never use API tokens in the front end of your application, or malicious users could discover them in your source code."-an advisory by Onfido
According to the investigation, threat actors could have also had access to biometric information - liveness check videos and/or selfies customers take to prove their identities.
Though tokens usually have an expiration date, those uncovered in the investigation did not, making the security flaw much more dangerous.
Leaving admin tokens in the front end suggests that app developers did not read the documentation provided by Onfido.
"You must never use API tokens in the front end of your application, or malicious users could discover them in your source code. You should only use them on your server," Onfido cautions.
An investigation by Tunç has confirmed at least seven apps with a front-end admin token. The security flaw potentially affects millions of users, as combined app installations on Android devices alone are close to 18 million.
The first app identified as having an open admin API token belongs to Kroo, a London-based fintech with over 10,000 downloads on the Google Play store.
Tunç informed Kroo about the flaw on December 20. Two days later, the company fixed the issue.
Interestingly, on the same day, a post on Kroo's Twitter account announced that the company was carrying out “essential maintenance on the systems which affects those applying for a Kroo account”.
Though the IDV process that uses the front-end token affects users during the application process, the tweet did not mention the security flaw.
Tunç and CyberNews researchers contacted every affected business mentioned in this article to inform them about the issue.
The Onfido security team replied to us after we sent the responsible disclosure emails to affected companies. We also sent questions to Onfido after exchanging technical details regarding the issue.
The company responded after the publication went live.
We inquired whether Onfido monitors if their clients follow a recommendation not to leave the API token in the frontend. According to Onfido, the company provides detailed technical guidance to customers on how to implement the Onfido IDV workflow securely.
"As with other companies in similar domains it’s technically very difficult to tell if a private key is being used improperly, across such a diverse range of workflows, making it hard to enforce," Onfido told CyberNews.
According to the company, immediate investigation by Onfido showed there is no evidence of unauthorized access to data.
In contrast, Europcar were quick to react. A representative of the company told CyberNews that it was working with Onfido to resolve the problem.
Europcar also confirmed that front-end tokens have been revoked, closing the breach.
Representatives of Hoolah informed CyberNews that the issue was resolved within a few hours. Additionally, the company claims that a preliminary investigation did not indicate any attempts to gain unauthorized access to its systems.
Meanwhile, Mode claims to have already mitigated the problem by using software development kit (SDK) tokens. According to their response, the front-end token was left in the Android version of the app by a former team member.
“We’re currently doing a full audit with the logs provided to us from Onfido. From our preliminary findings, we can find no evidence of malicious access by a third party. Our investigations are still ongoing,” Mode told CyberNews.
Other companies affected did not respond to our request for comment at time of publication.
Having your personal data leaked poses many hazards. Threat actors can abuse PII to conduct phishing and social engineering attacks.
PII coupled with an ID card, passport, or driver's license copy can lead to identity theft. If malicious actors have access to a video used in the IDV process, they could set up accounts using stolen names.
Determined attackers can combine information found in the leaked files with other data breaches to create detailed profiles of their potential victims. In other cases, threat actors can quickly sell valid identification documents on the dark web.
If you suspect that threat actors might have scraped your data, we recommend that you:
- Beware of suspicious messages and connection requests from strangers.
- Consider using a password manager to create strong passwords and store them securely.
- Enable two-factor authentication (2FA) on all your online accounts.
- Watch out for potential phishing emails and text messages. Again, don't click on anything suspicious or respond to anyone you don't know.
What should engineers do?
Researchers behind the investigation recommend the following to engineers and developers:
- Always read vendor documentation very carefully. Vendors with good documentation will often state which tokens can and cannot be shared publicly.
- If you're not sure if a token should be public, test it! Do a mini-threat model to explore the worst someone could do with this token.
- Always remember that anything published on the internet (this includes but is not limited to application stores) can and will be discovered.
- Don't make the mistake of trying to hide secrets in an obfuscated app. There is a plethora of techniques and frameworks to deobfuscate code.
- Have secret scanning as part of your build pipelines to ensure you are alerted when secrets are discovered in code.
What should vendors do?
Meanwhile, vendors such as Onfido selling their services further down the line are advised to:
- Design your systems with security and privacy in mind. Make it difficult for integrators to misuse tokens where they shouldn't.
- Make it very clear in your integration documentation which tokens should and should not be used on the front end.
- Prefix your secrets with text such as "private" or "secret" to make integrators think twice before including these in front-end applications.
More from CyberNews:
Subscribe to our newsletter