[BreachExchange] Over 4000 Android Apps Expose Users' Data via Misconfigured Firebase Databases
Destry Winant
destry at riskbasedsecurity.com
Thu May 14 10:13:12 EDT 2020
https://thehackernews.com/2020/05/android-firebase-database-security.html
More than 4,000 Android apps that use Google's cloud-hosted Firebase
databases are 'unknowingly' leaking sensitive information on their
users, including their email addresses, usernames, passwords, phone
numbers, full names, chat messages and location data.
The investigation, led by Bob Diachenko from Security Discovery in
partnership with Comparitech, is the result of an analysis of 15,735
Android apps, which comprise about 18 percent of all apps on Google
Play store.
"4.8 percent of mobile apps using Google Firebase to store user data
are not properly secured, allowing anyone to access databases
containing users' personal information, access tokens, and other data
without a password or any other authentication," Comparitech said.
Acquired by Google in 2014, Firebase is a popular mobile application
development platform that offers a variety of tools to help
third-party app developers build apps, securely store app data and
files, fix issues, and even engage with users via in-app messaging
features.
With the vulnerable apps in question — mostly spanning games,
education, entertainment, and business categories — installed 4.22
billion times by Android users, Comparitech said: "the chances are
high that an Android user's privacy has been compromised by at least
one app."
Given that Firebase is a cross-platform tool, the researchers also
warned that the misconfigurations are likely to impact iOS and web
apps as well.
The full contents of the database, spanning across 4,282 apps, included:
Email addresses: 7,000,000+
Usernames: 4,400,000+
Passwords: 1,000,000+
Phone numbers: 5,300,000+
Full names: 18,300,000+
Chat messages: 6,800,000+
GPS data: 6,200,000+
IP addresses: 156,000+
Street addresses: 560,000+
Diachenko found the exposed databases using known Firebase's REST API
that's used to access data stored on unprotected instances, retrieved
in JSON format, by simply suffixing "/.json" to a database URL (e.g.
"https://~project_id~.firebaseio.com/.json").
Aside from 155,066 apps having publicly exposed databases, the
researchers found 9,014 apps with write permissions, thus potentially
allowing an attacker to inject malicious data and corrupt the
database, and even spread malware.
Complicating the matter further is the indexing of Firebase database
URLs by search engines such as Bing, which exposes the vulnerable
endpoints for anyone on the Internet. A Google search, however,
returns no results.
After Google was notified of the findings on April 22, the search
giant said it's reaching out to affected developers to patch the
issues.
This is not the first time exposed Firebase databases have leaked
personal information. Researchers from mobile security firm Appthority
found a similar case two years ago, resulting in the exposure of 100
million data records.
Leaving a database exposed without any authentication is an open
invite for bad actors. It's therefore recommended that app developers
adhere to Firebase database rules to secure data and prevent
unauthorized access.
Users, for their part, are urged to stick to only trusted apps and be
cautious about the information that's shared with an application.
More information about the BreachExchange
mailing list