Expert Comments

Security Expert Re: Key Ring Exposes 44 M Digital Wallet Items Due To AWS S3 Bucket Misconfiguration

Expert(s): Security Experts
Expert(s): Security Experts
Threatpost is reporting 44M Digital Wallet Items Exposed in Key Ring Cloud Misconfig due to unsecured AWS S3 buckets. Key Ring allows users to upload scans and photos of membership and loyalty cards onto a digital folder on one’s phone; however, many users also use it to store copies of IDs, driver licenses, credit cards, and more.

Experts Comments

April 03, 2020
Tim Mackey
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Synopsys
Unsecured S3 buckets are almost a daily occurrence, but in this case the security risk was compounded by users who were using the Key Ring service for more than storing loyalty card information. Some users had determined that Key Ring would further reduce the number of ID cards they carried and scanned drivers licenses, medical cards, credit cards with CCVs and government IDs. Key Ring also serves as a marketing platform for retailers and the membership lists for their clients were also present .....Read More
Unsecured S3 buckets are almost a daily occurrence, but in this case the security risk was compounded by users who were using the Key Ring service for more than storing loyalty card information. Some users had determined that Key Ring would further reduce the number of ID cards they carried and scanned drivers licenses, medical cards, credit cards with CCVs and government IDs. Key Ring also serves as a marketing platform for retailers and the membership lists for their clients were also present on the insecure S3 buckets. This situation was easily avoidable had Key Ring performed a review of its S3 usage to ensure that the correct permissions were applied to each bucket. Users do bear some of the blame in this breach though. Using a service outside of its intended purpose could easily result in unforeseen security issues. In this case, the users who scanned sensitive cards like a drivers license or government ID clearly assumed that Key Ring was appropriate for their most sensitive data. While I often recommend that businesses look at their operations through the lens of a threat model, consumers also need to think about the type of data they provide to any app or service. If that data is outside of the scope of that app or service, it’s unlikely the vendor or author is thinking about how best to secure what for them is an unanticipated use of their service.  Read Less
April 03, 2020
Patrick Hamilton
Security Evangelist
Lucy Security
Developers can take "minimum viable product" to mean "does this work" -- they often forget to add security into their viability equation. For Key Ring, it seems overly simple to say basic security hygiene means following the instructions that came with your S3 bucket. As for Key Ring users, there's a minimum cost of convenience: they will now have to be hyper vigilant with every email they receive. Phishing attacks with this level of information will easily get past firewalls.

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.
SUBMIT

You may also like

Booz Allen Report On CISOs And China Quantum Computing Risks,...

Experts Reactions On Sky Broadband Hack Warning

Ransomware Set To Break Records This Black Friday 2021

The Changing Face Of The COO Role

Security Expert On Apple Suing NSO Group

Meta Delays Plans To Rollout End-to-end Encryption

NCSC Issues Black Friday Warning To Tetailers

How The Zelle Fraud Scam Steals Your Bank Credentials

GoDaddy Data Breach Impacts Over A Million Users, Experts Reactions

Utah Imaging Data Breach – Expert Comments

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts