If you’ve ever used the Duc App to send money abroad, here’s some news you probably didn’t want to start your week with. Toronto-based fintech company Duales left a massive, publicly accessible Amazon cloud storage server sitting wide open on the internet, no password required. Think of it like leaving your wallet on the hood of your car and wondering why your credit cards are gone.
Security researcher Anurag Sen of CyPeace stumbled onto the exposed server and brought it to TechCrunch’s attention in an exclusive report. What he found inside was a collection of over 360,000 files, including driver’s licenses, passports, selfies, home addresses, and detailed transaction records dating back to September 2020.
Even more unsettling, the data was completely unencrypted, meaning anyone who knew the (apparently easy-to-guess) web address could view and download everything with nothing more than a browser.
“It Was Just a Staging Site” — Sure It Was
When TechCrunch reached out, Duales CEO Henry Martinez González explained the server away as a “staging site” used for testing. That explanation might hold water if your test data weren’t real people’s government-issued IDs and financial records. He also assured everyone that “all protections are in place” — after TechCrunch had already found them very much not in place. To his credit, the files were made inaccessible shortly after the company was contacted. The list of server contents, however, remained visible.
The CEO would not confirm whether the company had access to logs that could determine how many people had already viewed or downloaded the exposed files, which is a bit like asking whether anyone broke into the garage and getting a shrug in response.
Regulators Are Already Asking Questions
Canada’s privacy regulator, the Office of the Privacy Commissioner, confirmed it had reached out to Duales for more information. The Duc App has racked up over 100,000 downloads on Google Play and is marketed as a convenient way to send money internationally, including to Cuba. That’s a significant number of people whose identity verification data may have been sitting in the digital equivalent of an unlocked filing cabinet in a public park.
This incident joins a growing list of apps that collect sensitive user documents for identity verification but fail to properly secure them afterward. Amazon has added tools in recent years to help prevent exactly this type of misconfiguration, which makes it all the more baffling when these exposures still happen. At some point, “we had a misconfiguration” stops being an explanation and starts being an excuse.
[Stock images used]