Ddos 
Image: Jamf Threat Labs
Researchers at Jamf Threat Labs have uncovered two mobile applications leaking sensitive user data, including credentials and personally identifiable information (PII). The affected apps belong to a Malaysian healthcare management platform and an Indian jewelry company, both of which failed to respond to responsible disclosure attempts.
Jamf explained the underlying issue: “These apps leak data over unencrypted HTTP requests while users are trying to log in to their accounts. This means that requests with credentials in clear form (not obfuscated) are sent to the organizations’ servers unencrypted, exposing these data to all devices connected to the same network.”
This makes users particularly vulnerable when connecting over public Wi-Fi networks, where attackers could easily intercept credentials and exploit stolen information.
The first case involves Khazana Jewellery, a popular retailer in India. Its iOS app — used to manage savings schemes for jewelry purchases — was found to be leaking multiple types of sensitive information.
Jamf reported: “There are several requests leaking data, and the following data is being leaked while users interact with the app: User email, password, full name, [and] phone number.”
Beyond credentials, the app also collects and stores extensive personal information:
- Full name
- Phone number
- Address
- PAN number
- ID number
The consequences of a breach are severe. Attackers could log into compromised accounts, cancel subscriptions, trigger cancellation fees, or misuse PII for phishing and identity theft.
The second case concerns MiCare HealthTech Holdings, a Malaysian healthcare management company serving 15 million users. While the affected app, HBC-MED, is considered a legacy platform, it remains available in both the Apple App Store and Google Play Store.
According to Jamf: “There are several requests leaking data, and the following data is being leaked while interacting with the app: Username, password, national ID, subscribed insurance/healthcare policy, [and] device HW specification (Android app only).”
Given the healthcare focus, researchers believe the risk is especially sensitive: “It is possible that this app has access to sensitive personal and healthcare data due to the nature of its purpose.”
Importantly, Jamf clarified that MiCare’s newer app does not suffer from the same flaws — but the legacy app remains a risk to users who still install it.
While the number of impacted users may be limited, Jamf stresses that the exposure of such highly sensitive healthcare and financial data makes these vulnerabilities critical.
Related Posts:
- Researchers found a MSSQL database that contains information of 1.3 million people
- CISA Warns of F5 BIG-IP Cookie Exploitation
- North Korean APT Group Targets macOS with Flutter-based Malware in Cryptocurrency Apps
- Jamf Threat Labs Uncovers a Stealthy Malware Strain from BlueNoroff APT
- Popular Chrome Extensions Caught Leaking Sensitive User Data via Unencrypted HTTP
Donate