On March 8, 2023, cybersecurity research team Cybernews discovered a publicly accessible environment file (.env) belonging to idkit.com, owned by OCR Labs, a London-based digital ID verification tool provider. The misconfiguration of the company’s systems exposed sensitive credentials to the public.
The discovered data leak impacted financial institutions in Australia such as QBANK, Defence Bank and MA Money, two financial companies based in the UK called Bloom Money and Admiral Money, and Reed, the UK’s top recruitment agency.
Using leaked data, threat actors could potentially breach companies’ backend infrastructure and the infrastructure of their clients. While financial services are the main target for cybercriminals, the threat to the organizations and their customers is severe.
The exposure of AWS and SQS access credentials has put OCR Labs clients in danger, and leaking this kind of data opens up the possibility of disrupting the company’s systems operations and hampers its ability to view internal server communication. The exposure of its ID and secret can potentially compromise KYC processes.
Additionally, the risk of identity theft and establishing fraudulent bank accounts, also known as bank drops, using stolen customer credentials cannot be overlooked.
The environment file could potentially provide threat actors with various attack options, including ransomware deployment and access to sensitive customer data such as personally identifiable information (PII), deposits, withdrawals, and transfers.
OCR Labs immediately took all the necessary actions to remedy the situation following a vulnerability disclosure program (VDP) framework. The company claims to have notified all impacted clients as part of their response. After an internal investigation, it stated that there was “no risk to the security of our client’s data or any of our other clients”.
To ensure the security of stored data, Cybernews researchers advise companies to be cautious and avoid storing sensitive information such as login URLs, connection strings, access tokens, and credentials in environment files.
