RIO DE JANEIRO, BRAZIL – A failure at fintech Nubank has exposed personal customer data on the internet. The Brazilian fintech enabled data such as account number, full name and the Natural Persons Register (CPF) to be found on Google, Bing, and Yahoo searches, among others. The bug was reported by the cyber security researcher Heitor Gonvêa and corrected by Nubank.
According to a detailed report published by the researcher, the links indexed by Google were part of the “charge” function – where one can create a QR Code containing the amount and bank details to complete the requested payment. This function is typically used between people who know each other. The main issue is that these links are visible on Google searches – unbeknownst to customers.
To prove this, Heitor created a script to list all the URLs available on Google and Bing and was able to find, in just a few minutes, a list with over 100 names, CPF’s, branches and account numbers.
In a statement, Nubank said that its security team “assessed the report produced on the charge function, and found that the links listed by Google came from other indexed websites on the Internet. To improve this process, some changes were made to the app and Google was required to block this type of result, thereby fixing this issue.”
The company recalls that the Nubank account transfer URLs provided by this function are exclusively generated by the customers in their apps. The data contained in each URL is required for the transaction to be executed both by other Nubank customers and by people who do not have the appl installed on their devices and therefore will need to use other methods such as DOCs or TEDs. Thus, the customer can define how and with whom they will share each generated URL.
Nubank stresses that security is a priority and that it takes all necessary precautions to ensure the integrity of its customers’ accounts.