Threatpost is reporting 44M Digital Wallet Items Exposed in Key Ring Cloud Misconfig due to unsecured AWS S3 buckets. Key Ring allows users to upload scans and photos of membership and loyalty cards onto a digital folder on one’s phone; however, many users also use it to store copies of IDs, driver licenses, credit cards, and more.
Unsecured S3 buckets are almost a daily occurrence, but in this case the security risk was compounded by users who were using the Key Ring service for more than storing loyalty card information. Some users had determined that Key Ring would further reduce the number of ID cards they carried and scanned drivers licenses, medical cards, credit cards with CCVs and government IDs. Key Ring also serves as a marketing platform for retailers and the membership lists for their clients were also present on the insecure S3 buckets. This situation was easily avoidable had Key Ring performed a review of its S3 usage to ensure that the correct permissions were applied to each bucket.
Users do bear some of the blame in this breach though. Using a service outside of its intended purpose could easily result in unforeseen security issues. In this case, the users who scanned sensitive cards like a drivers license or government ID clearly assumed that Key Ring was appropriate for their most sensitive data. While I often recommend that businesses look at their operations through the lens of a threat model, consumers also need to think about the type of data they provide to any app or service. If that data is outside of the scope of that app or service, it’s unlikely the vendor or author is thinking about how best to secure what for them is an unanticipated use of their service.
Developers can take \”minimum viable product\” to mean \”does this work\” — they often forget to add security into their viability equation. For Key Ring, it seems overly simple to say basic security hygiene means following the instructions that came with your S3 bucket.
As for Key Ring users, there\’s a minimum cost of convenience: they will now have to be hyper vigilant with every email they receive. Phishing attacks with this level of information will easily get past firewalls.