The Cybernews research team discovered a misconfiguration in the OCR Labs system that exposed sensitive data.
The company is a leading provider of digital ID verification tools, with its IDkit tool being used by major banks, telecoms companies, and governmental agencies. IDKit verifies users by linking their faces to their identity documents.
The discovered data leak impacted financial institutions in Australia – QBANK, mainly used by government agency workers, Defence Bank, catering to the Australian armed forces, and MA Money, a company that focuses on residential mortgages.
The leak also affected Bloom Money and Admiral Money – two financial companies based in the UK, and Reed, which is the UK’s top recruitment agency.
Using leaked data, threat actors could potentially breach companies’ backend infrastructure and consequently the infrastructure of their clients. While financial services are the main target for cybercriminals, the threat to the organizations and their customers is severe.
Cybernews reached out to the company, and it fixed the issue.
A treasure trove of credentials
On March 8, 2023, the Cybernews research team discovered a publicly accessible environment file (.env) belonging to idkit.com, owned by OCR Labs.
The file contained database credentials, including host, port, and username, Amazon Web Services (AWS) with Simple Queue Service (SQS) access credentials, application tokens, and various application programming interface (API) keys.
Among the leaked data, researchers found Google and Liveness API keys. Liveness is used in the digital identification process, determining whether the sample belongs to a live person or a fake, thereby preventing spoofing or account-holder impersonation.
The exposure of these keys is particularly dangerous because it potentially allows an attacker to see all the API’s data and modify and update related files, pipelines, and workflows.
Researchers also stumbled upon Engine v4 credentials: while they cannot determine the exact impact of this discovery, it is related to the Know Your Customer (KYC) service, which entails verifying a client’s identity when opening an account and periodically over time to guard against money laundering. The exposure of its ID and secret can potentially compromise KYC processes.
Financial data at risk
Another piece of sensitive information observed was the API key from Experian, a well-known multinational data analytics and consumer credit reporting company.
Experian collects financial data on individuals to help rate their creditworthiness. Having access to the API might enable the threat actor to access private user data such as credit score, and edit all data associated with the API.
Leaked app URLs, IDs, and tokens could have been used by threat actors to hijack OCR Labs client applications.
The exposure of AWS and SQS access credentials has put OCR Labs clients in danger. Leaking this kind of data opens up the possibility of disrupting the company’s systems operations, hampers its ability to view internal server communication, and potentially enables malicious actors to gain further access to cause harm to customers.
The discovered OAuth endpoint URL and token for business metrics could help malicious actors access private commercial information.
Wide range of attacks
This leak could have caused significant damage if malicious actors used it to take over the application instance, enabling lateral movement with a targeted system.
The environment file could potentially provide threat actors with various attack options. Ransomware deployment, and access to sensitive customer data such as personally identifiable information (PII), deposits, withdrawals, and transfers, are just a few examples of what could be done with the leaked data.
Leaked data could be highly beneficial for phishers and fraudsters who may exploit the opportunity to impersonate brokers or banks and deceive unsuspecting individuals and businesses into transferring money to scammers.
Moreover, the risk of identity theft and establishing fraudulent bank accounts, also known as bank drops, using stolen customer credentials, cannot be overlooked.
OCR Labs’ response
Immediately after Cybernews informed the company about the misconfiguration, it took all the necessary actions to remedy the situation. OCR Labs says it adheres to a vulnerability disclosure program (VDP) framework “to securely accept, triage, and rapidly remediate vulnerabilities.”
Following the framework, the company claims to have notified all impacted clients as part of their response. After an internal investigation, it stated that there was “no risk to the security of our client’s data or any of our other clients.”
“After more than 40 hours of investigation, we discovered that these reports pertained to unused demo and non-production environments and the keys which were discovered by the bots were of offline systems,” said Paul Warren-Tape of OCR Labs.
Cybernews reached out to the affected clients, but at the time of writing has not received their comment yet.
If you want to read the OCR Labs’ response and how to secure your data give a look at the original post:
About the author: Paulina Okunytė, Journalist at cyberNews
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:
Please nominate Security Affairs as your favorite blog.
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)