Led by Noam Rotem and Ran Locar, vpnMentor’s research team of ethical hackers, recently discovered a data leak by the popular app Key Ring, that compromised the privacy and security of their 14 million users.
Key Ring allows users to upload scans and photos of membership and loyalty cards onto a digital folder on one’s phone. However, many users also use it to store copies of IDs, driver licenses, credit cards, and more.
A misconfigured Amazon Web Services (AWS) S3 bucket owned by the company exposed these uploads and revealed their owners’ private data. During the team’s investigation, they also found four additional unsecured S3 buckets belonging to Key Ring, exposing even more sensitive data as they were publicly accessible to anyone with a web browser.
These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud, says the report.
The first bucket was picked up by the team's web scanning tools in January. At the time, they were undertaking numerous investigations into other data leaks and had to complete these before they could analyze Key Ring’s S3 buckets.
Once the details of the leak were confirmed, the vpnMentor team immediately contacted Key Ring and AWS to disclose the discovery and assist in fixing the leak. The buckets were secured shortly after.
- Date discovered: January 2020
- Date Key Ring and AWS contacted: 18th February 2020
- Date of Action: 20th February 2020
Example of Entries in the Unsecured S3 Bucket
Anybody with a web browser could have viewed over 44 million images uploaded by Key Ring users. The private personal user data included scans of:
- Government IDs
- Retail club membership and loyalty cards
- NRA membership cards
- Gift cards
- Credit cards with all details exposed, incl. CVV numbers
- Medical insurance cards
- Medical marijuana ID cards
- Many more
Key Ring also works as a marketing platform for many of North America’s most prominent retail brands. As such, the bucket also contained CSV files detailing membership lists and reports for many of these businesses. These lists contained the Personally Identifiable Information (PII) data of millions of people.
Examples of companies affected, and the number of customer entries included:
- Walmart/Kleenex list: ~16,000,000
- Kids Eat Free Campaign: ~64,000
- Unknown marketing campaign report: ~86,000
- La Madeleine Bakery chain: ~6,600
- Footlocker: Unknown amount of records
- Mattel ~2,000
In the following example from La Madeleine Bakery, numerous PII data were exposed. This list is similar to many the research team viewed:
- Full names
- Email addresses
- Membership ID numbers
- Dates of birth
- Locations and Zip Codes
Additional S3 Buckets Discovered
While investigating Key Ring’s first S3 bucket, the research team discovered four more buckets holding even more private data. In these buckets, they found a snapshot of the company’s database, which includes highly sensitive information about its users. Although the snapshot is not new, it held millions of records that were never meant to be exposed, such as:
- User emails
- Home addresses
- Device and IP address information
- Encrypted passwords and the “salt” randomized data used to encrypt them
Data Breach Impact
Two aspects of this leak made it especially dangerous, says the report.
- The sheer volume of files exposed, impacting millions of people across North America
- The value of the exposed data to criminal hackers
Aside from the CSV files, over 44 million images of personal cards were uploaded to the database by Key Ring users. These uploads exposed their credit card details, social security numbers, and much more. Had malicious hackers discovered these buckets, the impact on Key Ring users (and the company itself) would be enormous, adds the report.
"In fact, we can’t say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring. If this happened, simply deleting the exposed data and securing the S3 buckets might not be enough. Hackers would still have access to all the data, stored locally, offline, and completely untraceable," concludes the team.
For the full report, please visit the vpnMentor blog.