These top mobile apps may have exposed personal user data online

Personal user data was potentially at risk for customers of FxPro Direct App, Europcar, and more

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A serious security flaw in half a dozen popular mobile apps potentially leaked the personal and sensitive data of users online.

Researcher Mikail Tunç discovered in late December 2021 that multiple mobile apps on both Android and iOS have misconfigured identification verification services. More precisely - they did not follow best practices, as recommended by the service provider, Onfido.

Instead of keeping an API token at the back-end, they kept it exposed in the front-end, potentially leaking biometric data. Had someone found the flaw before Tunç, they could have obtained personally identifiable data such as ID cards, passports, or driver’s licenses, emails, full names, or physical addresses, putting users at risk of potentialidentity theft. Furthermore, an attacker could have obtained selfie videos, something many identification verification services require.

Millions of potential victims

No one had allegedly found the flaw before Tunç, meaning the data remains safe for now - although whether or not that’s actually the case still remains to be seen.

According toCyberNews, which first revealed the news, the apps that were affected include FxPro Direct App, a trading platform with more than five million users, Europcar, a rent-a-car with more than a million users, Chip, savings app with almost half a million users, shopping app Hoolah, cryptocurrency app Mode, and a car-sharing service Greenwheels.

CyberNewsasked Onfido whether it monitors if their clients follow a recommendation not to leave the API token in the frontend, with the company saying it provides detailed technical guidance to customers on how to implement the Onfido IDV workflow securely.

“As with other companies in similar domains it’s technically very difficult to tell if a private key is being used improperly, across such a diverse range of workflows, making it hard to enforce,” Onfido said, adding that its initial investigations showed there is no evidence of unauthorized access to data.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Next steps if you’re a victim of identity theft in the US>How to spot the warning signs and prevent ID theft>A taxpayer’s guide to identity theft and how to prevent it

All these figures are fromGoogle’sPlay Store.Apple’s App Store does not even disclose download numbers, but it’s safe to say that these figures could, in the least, be double.

Those who used one of the apps listed above, and fear they might be targeted by malicious actors, should be extra careful of suspicious messages and connection requests from strangers, should reinforce their passwords, and add two-factor authentication whenever possible.

They should also make sure they keep their devices updated, run a cybersecurity solution, and afirewall, if possible.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call