Financial Loan Apps Are Exposing Real-Time Location Data On Millions Of People - 4 minutes read
Financial Loan Apps Are Exposing Real-Time Location Data On Millions Of People
A team of security researchers at Safety Detective recently discovered a massive database of sensitive personal information, including real-time location data, that was easily accessible online on an unsecured server. The database, which has since been secured, contained just under 900GB of personal information connected to millions of Chinese citizens.
According to Safety Detective, the server contained information from more than 100 mobile apps, most of which were related to loans and financial services. Within the database was a massive trove of personal information including loan records, risk management data, and personally identifiable information like a person's name, address and phone number.
Even more troubling, the database contained over 4.6 million unique entries on mobile devices connected to the app users. Those entries showed just about every piece of information that a person could want relating to a device. Records included real-time location data, lists of contacts, text message logs, device model information, information about apps installed on the device, records of when certain apps are opened and how long they are used, billing information include credit card numbers and passwords stored with MD5 encryption, which can easily be cracked with the right tools. Safety Detective determined that it is likely the information in the database is collected and used by marketing agencies for mobile apps and other services.
While the database has since been secured, the sheer amount of information collected is staggering and concerning. Everything from IP addresses to full text message exchanges to details regarding a person's financial situation could be found and connected to millions of individuals. Safety Detective noted that this type of information is more than enough for a malicious actor to completely compromise a person's identity. They could also potentially hijack a person's accounts after decrypting the passwords, which could lead to a series of compromises. It's also possible that an attacker could perform a SIM swap attack that would allow them to essentially replicate a victim's phone and gain access to apps that control connected devices and view private photos and other media.
It's a distinct possibility that someone with bad intentions happened to discover the database before security researchers identified it, though determining that is a challenge. It's often difficult to know if an unauthorized source managed to access a database like this because, when configured incorrectly, the information is essentially publicly available. It simply requires knowing where it is located or stumbling across it.
Unfortunately, these types of exposures are relatively common. Misconfigured servers can lead to a significant amount of data accidentally being made publicly available, and there is little a user can do to protect themselves. Being proactive by only using trustworthy and secure apps and being vigilant about limiting the amount of information you share with apps and services is the best way to make sure none of your data ends up exposed.
Source: Forbes.com
Powered by NewsAPI.org
Keywords:
Real-time computing • Data • Security • Database • Personally identifiable information • Real-time computing • Data • Online and offline • Server (computing) • Database • History of China • Mobile app • Loan • Financial services • Database • Personally identifiable information • Loan • Document • Risk management • Data • Personally identifiable information • IP address • Telephone number • Database • Mobile device • Mobile app • User (computing) • Information • Real-time computing • Data • List (abstract data type) • Text messaging • Computer hardware • Computer simulation • Information • Information • Computer hardware • Information • Credit card • Password • MD5 • Encryption • Tool • Safety • Information • Database • Marketing • Mobile app • Service (economics) • Database • Information • IP address • Text messaging • Information • Piracy • User (computing) • Password • Security hacker • Simulation • Mobile phone • Bad Intentions (professional wrestling) • Database • Authorization • Database • Information • Blog • Server (computing) • Data • Security • Information •
A team of security researchers at Safety Detective recently discovered a massive database of sensitive personal information, including real-time location data, that was easily accessible online on an unsecured server. The database, which has since been secured, contained just under 900GB of personal information connected to millions of Chinese citizens.
According to Safety Detective, the server contained information from more than 100 mobile apps, most of which were related to loans and financial services. Within the database was a massive trove of personal information including loan records, risk management data, and personally identifiable information like a person's name, address and phone number.
Even more troubling, the database contained over 4.6 million unique entries on mobile devices connected to the app users. Those entries showed just about every piece of information that a person could want relating to a device. Records included real-time location data, lists of contacts, text message logs, device model information, information about apps installed on the device, records of when certain apps are opened and how long they are used, billing information include credit card numbers and passwords stored with MD5 encryption, which can easily be cracked with the right tools. Safety Detective determined that it is likely the information in the database is collected and used by marketing agencies for mobile apps and other services.
While the database has since been secured, the sheer amount of information collected is staggering and concerning. Everything from IP addresses to full text message exchanges to details regarding a person's financial situation could be found and connected to millions of individuals. Safety Detective noted that this type of information is more than enough for a malicious actor to completely compromise a person's identity. They could also potentially hijack a person's accounts after decrypting the passwords, which could lead to a series of compromises. It's also possible that an attacker could perform a SIM swap attack that would allow them to essentially replicate a victim's phone and gain access to apps that control connected devices and view private photos and other media.
It's a distinct possibility that someone with bad intentions happened to discover the database before security researchers identified it, though determining that is a challenge. It's often difficult to know if an unauthorized source managed to access a database like this because, when configured incorrectly, the information is essentially publicly available. It simply requires knowing where it is located or stumbling across it.
Unfortunately, these types of exposures are relatively common. Misconfigured servers can lead to a significant amount of data accidentally being made publicly available, and there is little a user can do to protect themselves. Being proactive by only using trustworthy and secure apps and being vigilant about limiting the amount of information you share with apps and services is the best way to make sure none of your data ends up exposed.
Source: Forbes.com
Powered by NewsAPI.org
Keywords:
Real-time computing • Data • Security • Database • Personally identifiable information • Real-time computing • Data • Online and offline • Server (computing) • Database • History of China • Mobile app • Loan • Financial services • Database • Personally identifiable information • Loan • Document • Risk management • Data • Personally identifiable information • IP address • Telephone number • Database • Mobile device • Mobile app • User (computing) • Information • Real-time computing • Data • List (abstract data type) • Text messaging • Computer hardware • Computer simulation • Information • Information • Computer hardware • Information • Credit card • Password • MD5 • Encryption • Tool • Safety • Information • Database • Marketing • Mobile app • Service (economics) • Database • Information • IP address • Text messaging • Information • Piracy • User (computing) • Password • Security hacker • Simulation • Mobile phone • Bad Intentions (professional wrestling) • Database • Authorization • Database • Information • Blog • Server (computing) • Data • Security • Information •