The research team at vpnMentor has discovered a data leak at Key Ring, a popular digital wallet app used by 14 million users across North America, that may have compromised users’ privacy and security.
The app allows users to upload scans and photos of membership and loyalty cards onto a digital folder on a user’s phone, but many users also store copies of IDs, driver’s licenses, credit cards, and other personal data using the app – even including NRA membership cards.
Key Ring offers users a “One-Stop Shopping Solution” leveraging various technologies that lets users create a digital wallet on their phones, users store virtual copies and scans of gift cards, membership cards, etc. within the app. The app also includes more features designed to make shopping and participation in loyalty/membership programs easier.
Researchers Noam Rotem and Ran Locar said a misconfigured Amazon Web Services (AWS) S3 bucket owned by the company exposed 44 million uploaded images. The investigation also found four additional unsecured S3 buckets belonging to Key Ring which exposed additional sensitive data.
“These unsecured S3 buckets were a goldmine for cybercriminals exposing millions of people to various forms of cyberattack and fraud,” said Locar.
“We can’t confirm how long the buckets were open, but the first was picked up by our web scanning tools in January,” said Rotem, Co-Head of the vpnMentor Research Lab. “At the time, we were undertaking numerous investigations into other data leaks and had to complete these before we could analyze Key Ring’s S3 buckets. Once the details of the leak were confirmed, we immediately contacted Key Ring and AWS to disclose the discovery and assist in fixing the leak. The buckets were secured shortly after.”
The full report Popular Digital Wallet Exposes Millions to Risk in Huge Data Leak detailing data leak details, samples of images leaked online, and subsequent actions recommended and deployed by KeyRing is at: https://www.vpnmentor.com/blog/report-keyring-leak/
Check out a sample of the images exposed below: Charge Card Front, Charge Card back, Professional ID, NRA Membership card