Digital Identity Provider SDK Leaves Hundreds Of Thousands Of Biometric Records Vulnerable

Following the news that:

Digital identity provider SDK leaves hundreds of thousands of biometric records vulnerable

Digital identity provider SDK leaves hundreds of thousands of biometric records vulnerable | Biometric Update

Subscribe
Notify of
guest

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Rob.griffin
Rob.griffin , CEO
InfoSec Expert
September 5, 2022 12:38 pm

The stats behind these findings really are truly alarming and point to an urgent need for change in coding practices by app developers. Even in apps within regulated marketplaces such as banking and gambling the use of poorly maintained shared libraries, is leaving literally millions of users’ data vulnerable. The large majority of these apps (77%) had hard-coded access tokens to private AWS services and of those, 47% gave access to large private files within S3 (AWS’s storage). 

By far the most alarming element is that many of these apps used the same Digital Identity SDK which contained cloud credentials that could place entire infrastructures at risk as well as compromising the irrevocable biometric data of end-users alongside their respective names, dates of births etc.

For the 300,000 biometric digital fingerprints that were leaked across five mobile banking apps using the SDK there is no going back. Similarly, 16 different online gambling apps using the vulnerable library exposed full infrastructure and cloud services with full read/write ‘master’ account credentials.

App developers cannot expect publicly available shared libraries to provide secure and well-maintained solutions for complex authentication requirements and they take colossal risks of brand and business should they do so.

Last edited 21 days ago by rob.griffin
Information Security Buzz
1
0
Would love your thoughts, please comment.x
()
x