These top mobile apps may have exposed personal user data online

data privacy
(Image credit: Shutterstock / Zeeker2526)

A serious security flaw in half a dozen popular mobile apps potentially leaked the personal and sensitive data of users online.

Researcher Mikail Tunç discovered in late December 2021 that multiple mobile apps on both Android and iOS have misconfigured identification verification services. More precisely - they did not follow best practices, as recommended by the service provider, Onfido. 

Instead of keeping an API token at the back-end, they kept it exposed in the front-end, potentially leaking biometric data. Had someone found the flaw before Tunç, they could have obtained personally identifiable data such as ID cards, passports, or driver’s licenses, emails, full names, or physical addresses, putting users at risk of potential identity theft. Furthermore, an attacker could have obtained selfie videos, something many identification verification services require.

Millions of potential victims

No one had allegedly found the flaw before Tunç, meaning the data remains safe for now - although whether or not that’s actually the case still remains to be seen. 

According to CyberNews, which first revealed the news, the apps that were affected include FxPro Direct App, a trading platform with more than five million users, Europcar, a rent-a-car with more than a million users, Chip, savings app with almost half a million users, shopping app Hoolah, cryptocurrency app Mode, and a car-sharing service Greenwheels. 

CyberNews asked Onfido whether it monitors if their clients follow a recommendation not to leave the API token in the frontend, with the company saying it provides detailed technical guidance to customers on how to implement the Onfido IDV workflow securely.

"As with other companies in similar domains it’s technically very difficult to tell if a private key is being used improperly, across such a diverse range of workflows, making it hard to enforce," Onfido said, adding that its initial investigations showed there is no evidence of unauthorized access to data.

All these figures are from Google’s Play Store. Apple’s App Store does not even disclose download numbers, but it’s safe to say that these figures could, in the least, be double.

Those who used one of the apps listed above, and fear they might be targeted by malicious actors, should be extra careful of suspicious messages and connection requests from strangers, should reinforce their passwords, and add two-factor authentication whenever possible.

They should also make sure they keep their devices updated, run a cybersecurity solution, and a firewall, if possible. 

  • You might also want to check out our list of the best VPNs right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Someone holding a passport with two boarding passes inside it
Top digital loan firm security slip-up puts data of 36 million users at risk
Stalkerware
New spyware found to be snooping on thousands of Android and iOS users
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data
Kaspersky Report on Stalkerware
Security flaw in popular stalkerware apps is exposing phone data of millions
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
A top online gift card store may have exposed private data on hundreds of thousands of users
Security padlock and circuit board to protect data
Mexican fintech company Miio exposed millions of files of sensitive customer data
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake