UPDATED 22:33 EDT / APRIL 02 2020

SECURITY

Digital wallet app Key Ring exposes user data on misconfigured cloud databases

Data belonging to 14 million users of the Key Ring digital wallet app has been discovered exposed on multiple Amazon Web Services Inc. S3 buckets.

The breach was discovered and publicized today by security researchers Noam Rotem and Ran Locar at vpnMentor. The app, which is primarily designed to upload scans and photos of loyalty cards, is also used by many users to store copies of driver licenses, credit cards and more.

The exposed S3 buckets, five in total, had been misconfigured and set to public and included 44 million images. Along with credit cards and driver licenses, other images found included medical insurance cards, medical marijuana cards, government ID cards, gift cards and even National Rifle Association membership cards.

Along with its consumer app side, Key Ring also operates as a marketing platform for multiple U.S. retail brands. Also found on the buckets were CSV files detailing membership lists and reports for many of Key Ring’s corporate clients that included personally identifiable information on millions of people.

The databases were first discovered in January with the company contacted Feb. 18. The databases were taken offline Feb. 20.

Noting that they can’t say for certain that nobody else found the S3 buckets and downloaded the data before they notified Key Ring, the researchers said that “had malicious hackers discovered these buckets, the impact on Key Ring users (and the company itself) would be enormous.”

The company itself has not commented publicly on the report.

“Developers can take ‘minimum viable product’ to mean ‘does this work’ — they often forget to add security into their viability equation,” Patrick Hamilton, cybersecurity evangelist at training firm Lucy Security AG, told SiliconANGLE. “For Key Ring, it seems overly simple to say basic security hygiene means following the instructions that came with your S3 bucket.”

As for Key Ring users, Hamilton added, “there’s a minimum cost of convenience: they will now have to be hyper-vigilant with every email they receive. Phishing attacks with this level of information will easily get past firewalls.”

Image: Key Ring

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU