Member Login
menu

More Than 100 Loan Apps In China Were Leaking Millions Of Sensitive User Data

21/07/2019

More than 100 loan apps in China have been exposing sensitive user data after an exposed server was getting live updates.

According to a report from Safety Detective, an Israeli company that reviews antivirus software, the apps were sending financial information of more than 4.6 million devices, as well as their real-time location data, debt logs, financial information and contacts.

Going further than that, the database also had real names, birthday dates, physical addresses, personal phone numbers.

The database had over 899 gigabytes of data, according to Anurag Sen, an independent security researcher who discovered the leak. The public database was growing, as these apps gathered data on people's activities and stored it the unsecured server in real time.

Sen said that:

"A bad actor can take advantage of the information like phone number and address to cause identity theft or in a serious case, can cause physical damage. Some of the biggest risks we can think of would be government or company espionage (even more in a country like China) since we have some location logs, calls logs and texts records."
Loan apps leaking user data
Just some of the information exposed by the loan apps. (Image: Safety Detective)

Sen and a team at Safety Detective found that one of the 100+ apps that were exposing sensitive user information, was Youyidai, a loan app that has been downloaded more than 1.4 million times in China.

People use apps like these to quickly borrow money in China. In return, the companies behind them gather thousands of data points to approve these loans.

Unfortunately for those people, some of these apps also have access to their real-time location for debt collecting purposes.

"Leaks like these are continuously happening because companies mismanage the server where they store the logs. It is a technical fault and a very silly one which can cause very serious damage to the company and its customers by leaving databases like this without password over the internet," Sen said.

The massive data leak contained a treasure trove of information on millions of Chinese citizens. An attacker with access to this public server would essentially be able to track millions of people in real time, along with having access to a detailed list of contacts and their credit card information.

The details contained in the database are more than enough to entirely overtake someone’s identity. If fallen to the wrong hands, the results can be catastrophe, as attackers can replicate SIM cards, have access to the victims' phones, to then in turn provide access to online and banking accounts, photos, documents, and even connected home devices and more.

Sen and his team notified Aliyun Computing, a subsidiary of Alibaba, which hosted the server, but was unable to contact the database's owner.

Alibaba then took the server offline after CNET reached out to the company.

According to a spokesperson for Alibaba:

"We provide ongoing security guidelines and trainings to all our customers, and always advise them to protect their data by setting a secure password among other security recommendations."

"A series of actions were immediately taken to identify, alert and guide the customer, once Alibaba Cloud was informed about their database vulnerability hosted on our public cloud platform."