More than 4,000 Android apps that use Google’s cloud-hosted Firebase databases are ‘unknowingly’ leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.
The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.
“4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users’ personal information, access tokens, and other data without a password or any other authentication,” Comparitech said.
Acquired by Google in 2014, Firebase is a popular mobile application development platform that offers a variety of tools to help third-party app developers build apps, securely store app data and files, fix issues, and even engage with users via in-app messaging features.
With the vulnerable apps in question — mostly spanning games, education, entertainment, and business categories — installed 4.22 billion times by Android users, Comparitech said: “the chances are high that an Android user’s privacy has been compromised by at least one app.”
Given that Firebase is a cross-platform tool, the researchers also warned that the misconfigurations are likely to impact iOS and web apps as well.
The full contents of the database, spanning across 4,282 apps, included:
- Email addresses: 7,000,000+
- Usernames: 4,400,000+
- Passwords: 1,000,000+
- Phone numbers: 5,300,000+
- Full names: 18,300,000+
- Chat messages: 6,800,000+
- GPS data: 6,200,000+
- IP addresses: 156,000+
- Street addresses: 560,000+
Diachenko found the exposed databases using known Firebase’s REST API that’s used to access data stored on unprotected instances, retrieved in JSON format, by simply suffixing “/.json” to a database URL (e.g. “https://~project_id~.firebaseio.com/.json”).
Aside from 155,066 apps having publicly exposed databases, the researchers found 9,014 apps with write permissions, thus potentially allowing an attacker to inject malicious data and corrupt the database, and even spread malware.
Complicating the matter further is the indexing of Firebase database URLs by search engines such as Bing, which exposes the vulnerable endpoints for anyone on the Internet. A Google search, however, returns no results.
After Google was notified of the findings on April 22, the search giant said it’s reaching out to affected developers to patch the issues.
This is not the first time exposed Firebase databases have leaked personal information. Researchers from mobile security firm Appthority found a similar case two years ago, resulting in the exposure of 100 million data records.
Leaving a database exposed without any authentication is an open invite for bad actors. It’s therefore recommended that app developers adhere to Firebase database rules to secure data and prevent unauthorized access.
Users, for their part, are urged to stick to only trusted apps and be cautious about the information that’s shared with an application.
The information contained in this website is for general information purposes only. The information is gathered from The Hacker News, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.