A serious vulnerability found in six popular mobile apps could potentially have leaked the personal and sensitive data of millions of users online. Researcher Mikail Tunç discovered in late December 2021 that multiple mobile apps on both Android and iOS were misconfiguring authentication services. It found that these applications did not follow the methods suggested by the service provider Onfido.
Instead of keeping an API token on the backend, apps that keep those tokens exposed on the frontend could potentially have leaked biometric data. Malicious software developers who found this vulnerability before Tunç could have obtained personally identifiable data such as identity cards, passports. In addition, licenses, emails, full names or physical addresses are also compromised. Also, selfie videos required by many authentication services may have been stolen.
It is stated that the vulnerability was found for the first time by Tunç, so the data is safe for now. However, it is still unclear whether this is really the case. These tokens often have an expiration date as an added security measure. However, the exposed tokens do not have an expiration date, which makes the threat much greater.
According to CyberNews, which published the news for the first time, the affected apps include FxPro Direct App, a trading platform with more than five million users, Europcar, a car rental car with more than one million users, savings app Chip, shopping app Hoolah, cryptocurrency app Mode and Greenwheels is a ridesharing service.