NEW DELHI: A vulnerability in Chinese micro-lending app, Moneed, may have exposed personal details of millions of Indian users. The vulnerability was found by security researcher Anurag Sen, who informed the company about it. While Moneed didn’t immediately respond to the researcher’s email, the company claims it has fixed the error after a report from The Next Web yesterday.
The database, which was seen by Mint, has over 350 million records of Indian users, including their names and phone numbers. It was stored on a server in China, even though the company’s founder, Leon Xu, claimed all Indian data is stored in Mumbai. The database also includes information about the phone a person was using, the apps installed on said phone, and their IP addresses, suggesting that Moneed’s access to a user’s data is extremely invasive.
The company has another app on the Play Store, called MoMo, which works the same way as Moneed. The permissions list for that app says it can even control a phone’s vibration, connect and disconnect from WiFi networks, have full network access, modify a phone’s storage and read content on the phone, read contacts and modify them, and much more.
The app takes access to users’ contact lists, and uploads the same to its servers. That means your phone number and name may be on the database even if you haven’t used the app.
In a conversation with Mint via LinkedIn, Xu said the company has millions of users in India. He denied that the data belonged to Moneed at first, and said the researcher hadn’t reached out to the company. However, he later said he would check with his teams about the same.
In an official statement sent to Mint today, the company said it has “thoroughly” communicated with the researcher and made fixing the loophole its top priority. “We have also thoroughly checked every part of our internal technology system with strengthening our firewall and security protection to completely meet the standards and requirements according to the laws and regulations set forth by the authorities,” the company said in its statement.
The researcher, though, says that all he received from the company was a single email, with a statement similar to the one put on its social platforms and sent to the media.