Sat. Jun 6th, 2020

Popular digital wallet Key Ring leaked 14 million user information including credit card number

2 min read

The digital wallet application Key Ring was recently discovered by researchers as a major security issue, and its database hosted on the Amazon AWS platform is set to a public state.

The application is designed to help users encrypt and store purchases and financial data, for example, it can be used to associate Walmart membership cards or add their own credit card information.

In this way, the user does not have to carry a physical wallet and put various membership cards and bank cards in it, but the security becomes a problem after the Key Ring databases are leaked.

It stands to reason that software related to finance should pay great attention to security because once a security problem occurs, a large amount of user information may be leaked and property loss may result.

But it seems that Key Ring’s digital wallet application does not pay much attention to security issues, because the mistake they made this time is a very poor problem.

FormGet data leak

When the researchers searched, they found that the company’s repository hosted on Amazon’s cloud computing platform turned out to be public, which meant that anyone could access the data.

Normally, these repositories should be set to a private state and only authorized administrators can access, but obviously Key Ring did not follow the security process.

The Amazon cloud computing platform has issued several reminders before, warning developers and enterprises to check the status of the repository, and should not be set to a public state if unnecessary.

But I never imagined that this kind of software involving users’ financial problems would have such errors, directly exposing 14 million users to the Internet.

According to the developer, the company currently has 14 million users worldwide, and the number of various cards that these users bind or add to Key Ring amounts to 60 million.

These cards include not only the membership cards of various websites or physical stores but also the user’s credit card and security code information, depending on whether the user actively added it.

At the same time, many users bind their detailed identification information and medical records, and these data are stored in the database by Key Ring in plain text.

When the researchers checked the database, they found that all the data was stored in the CSV file. These data are not encrypted and can be read arbitrarily as long as they are downloaded.

It is unclear whether any hackers other than researchers download these databases. If any hackers have already downloaded the databases, it may cause great security problems.

Researchers warn that if the data is leaked, the user’s credit card may be stolen and may also encounter financial fraud, so users also need to be vigilant.