Chinese loan app Moneed leaked over 350 million Indian user data from a server in China
NEW DELHI: A vulnerability in Chinese micro-lending application, Moneed, may have exposed the personal details of millions of Indian users. The vulnerability was discovered by security researcher Anurag Sen, who informed the company about it. Although Moneed did not immediately respond to the researcher’s email, the company says it corrected the error after a report from The Next Web yesterday.
The database, which was consulted by Mint, contains over 350 million Indian user records, including their names and phone numbers. It was stored on a server in China, although company founder Leon Xu claimed all Indian data was stored in Mumbai. The database also includes information about the phone that a person was using, the applications installed on that phone and their IP addresses, which suggests that Moneed’s access to a user’s data is extremely invasive.
The company has another app on the Play Store called MoMo, which works the same as Moneed. The permissions list for this app says that it can even control a phone’s vibration, connect and disconnect from WiFi networks, have full network access, change a phone’s storage, and play content on the phone, read and edit contacts, and much more.
The application accesses users’ contact lists and uploads them to its servers. This means that your phone number and name can appear in the database even if you haven’t used the app.
In a conversation with Mint via LinkedIn, Xu said the company has millions of users in India. He denied that the data originally belonged to Moneed, and said the researcher had not contacted the company. However, he later said he would check with his teams for much the same.
In an official statement sent to Mint today, the company said it had communicated “extensively” with the researcher and made correcting the flaw its top priority. “We have also carefully checked every part of our internal technology system, strengthening our firewall and security protection to fully meet standards and requirements in accordance with laws and regulations established by authorities,” the company said in its statement.
The researcher, however, says all he received from the company was a single email, with a similar statement posted on his social platforms and sent to the media.
Never miss a story! Stay connected and informed with Mint. Download our app now !!