Misconfigured firebase exposes users data
By Yash Kudal
Investigators with the mobile security company Appthority have some disturbing news for iOS and Android mobile users: a vulnerability at the developer’s side revealing sensitive data. This disclosed information, including sensitive personal information, plain text passwords, and more, were affected as a result of what experts called Firebase vulnerability.
Similar to other previously discovered application weaknesses, this happened with respect to how the app “communicates” with the Google Firebase cloud database. Specifically, when authentication is not required, any attacker can access information with insecure firebase. Developers need to start an extra step to apply that authentication, but for many applications, that step has not been set.
As a result, this vulnerability has disclosed nearly 100 million records from Firebase’s insecure information.
The Appthority Group uses 28,502 mobile apps alone – more than 27,000 for the Android platform and another 1200-plus for iOS-linked Firebase data. More than 3,000 were disabled because of a lack of authentication. Unfortunately, these numbers meant that one in every ten Firebase databases had been left unprotected.
There are a variety of app categories involved in this discovery, especially for business applications such as productivity tools, financial and business applications, and even dating apps. Business users of these influential apps include banking companies, telecom, boating, travel and schools spread across the US, Europe, South America and Asia.
Now what was revealed?
Investigators found millions of public passwords and passwords, private health records, GPS coordinates stored in the past, online payment records, as well as access to millions of users of social networking sites.
It is important for business device users to understand that this type of vulnerability exists and it can also be widely spread depending on the growing number of Firebase users since its launch. It is recognized that any vulnerability that discloses sensitive information from a business account can mean the risk of violating the law, even if the information is mature or obliged.