[BreachExchange] A China-based loan app exposed millions of Indians’ data in an unsecured server

[Destry Winant]

https://thenextweb.com/security/2020/08/13/a-china-based-loan-app-exposed-millions-of-indians-data-in-an-unsecured-server/

Update (17/08/2020): Moneed issued a statement stating that it follows
all laws and regulations of India. While the company didn’t
acknowledge the data breach, it said that the team has taken
suggestions from cybersecurity researchers for “strengthening our
firewall and security protection to completely meet the standards and
requirements according to the laws and regulations set forth by
authorities.”

China-based lending company Moneed’s unprotected database has exposed
the names and phone numbers of millions of Indians, putting them at
risk of identity theft. Security researcher Anurag Sen found this
database on an open elastic server that had more than 389 million
phonebook records. Moneed has offices in Hangzhou, New Delhi, and Hong
Kong.

Sen told TNW that the data is stored on a server provided by Hangzhou
Alibaba advertising co. ltd in China. The discovery comes in the wake
of anti-China sentiments across government authorities and citizens in
India who are wary of its powerful neighbor’s operations in
cyberspace. Recently, India banned 59 Chinese apps including TikTok
for allegedly “stealing and surreptitiously transmitting users’ data
in an unauthorized manner to servers which have locations outside
India.”

Looking at the database entries, especially names, the app seems to
have uploaded phonebooks of people who might’ve installed Moneed’s
apps. The company has two  Android apps for securing loans, called
Moneed and Momo on the Play Store, — both of them have more than a
million downloads. Both of these apps ask for a ton of permission
including contacts, phone, storage, and location.

Shockingly, I managed to find my own contact details in the database.
However, there were three entries against the same phone number; it’s
likely that different users will have saved my number against
different names for that contact.

Records from Moneed database

The database contained data gathered between August 2019 and July
2020. Despite multiple emails to Moneed, we received no reply at the
time of writing. We contacted the host of the server, and the Alibaba
Security Response Center (ASRC) took the database offline for
security.

Meanwhile, Moneed’s loan service itself appears to be in violation of
Google’s app store policy. You can apply for a short-term loan for a
tenure of 14 or 28 days. However, Google’s developer policy states
that the company doesn’t allow apps that demand full repayment of
loans in under 60 days. We’ve reached out to the company for an
explanation, and we’ll update the story when we hear back.

In the past few months, several reports have noted that Moneed and
several other Chinese microloan apps have been harassing borrowers in
India for repayment. One of the methods these companies use is
reportedly to call borrowers’ family and friends to ask for money.
They also create a WhatsApp group with the borrower’s family to ask
for their whereabouts.

In this tense political climate, it’s worrisome that the data of so
many Indian citizens were captured and stored on a foreign server
without explicit consent or disclosure. Recently, Cyble reported that
more than 150,000 IDs of Indians were leaked on the dark web by a
Mandarin-speaking actor.

Moreover, despite such a large amount of data store on the database,
there were no security precautions. Furthermore, this data could be
used for illegal extortion of money or other malicious purposes. The
company has a responsibility to keep customer data safe and respond to
security threats in a timely manner — and it has clearly failed them
in this case.