Pierluigi Paganini April 06, 2020

vpnMentor researchers discovered that the popular digital wallet application Key Ring exposed data belonging to millions of users in a huge data leak.

The digital wallet application Key Ring recently exposed information from its 14 million users.

Key Ring is a mobile application that allows users to create a digital wallet on their devices and use them to store scans and photos of membership and loyalty cards. Many users also store in the digital store copies of documents, including IDs, driver’s licenses, and credit cards.

vpnMentor discovered a misconfigured Amazon S3 bucket that was leaking documents uploaded by the users. Further investigation allowed the experts to discovered other unsecured S3 buckets belonging to the company that were also exposing sensitive data.

“A misconfigured Amazon Web Services (AWS) S3 bucket owned by the company exposed these uploads and revealed their owners’ private data. During our team’s investigation, they also found four additional unsecured S3 buckets belonging to Key Ring, exposing even more sensitive data.” reads the post published by vpnMentor.

“These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud.”

It is not clear how long the information remained exposed online, according to vpnMentor at least since January when they first spotted the unsecured bucket.

Below the timeline of the discovery:

• Date discovered: January 2020
• Date Key Ring and AWS contacted: 18th February 2020
• Date of Action: 20th February 2020

The experts found more than 44 million images uploaded by Key Ring users in one of the AWS S3 buckets they have discovered. The images include scans of government-issued IDs, retail club membership and loyalty cards, NRA membership cards, gift cards, credit cards with all details exposed (including CVV), medical insurance cards, medical marijuana ID cards, and more.

Experts also found CSV files storing membership lists and reports for some of North American retail brands.

“These lists contained the Personally Identifiable Information (PII) data of millions of people.” continues the report.

“Examples of companies affected, and the number of customer entries included:

• Walmart/Kleenex list: ~16,000,000
• Kids Eat Free Campaign: ~64,000
• Unknown marketing campaign report: ~86,000
• La Madeleine Bakery chain: ~6,600
• Footlocker: Unknown amount of records
• Mattel ~2,000″

vpnMentor discovered other four S3 buckets containing private data, such as a snapshot of the company’s database containing sensitive information about its users.

Data contained in the database includes emails, home addresses, device and IP address information, encrypted passwords and the “salt” randomized data used to encrypt them.

“In total, five S3 buckets belonging to Key Ring were exposed, all containing valuable, private information that could have serious security implications for millions of people,” vpnMentor concludes.

“Had malicious hackers discovered these buckets, the impact on Key Ring users (and the company itself) would be enormous. In fact, we can’t say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring.”

Pierluigi Paganini

(SecurityAffairs – Lokibot malware, Coronavirus)

[adrotate banner=”5″]

[ banner=”13″]