Skip to content

June 30, 2018

Thousands of Android and iOS apps are leaking your data through their Firebase backend

by John_A

Apps are inadvertently leaking data through 2,271 misconfigured databases.

Firebase is a great service for any small developer who needs to have an online service at their disposal. It’s powered by Google and the company goes out of its way to help developers use it in their mobile apps. You can see by simply watching any Google I/O session video about Firebase that developer actually cheer when the service is mentioned.

Apparently, some of those developers have hit a snag when it comes to configuring the database they may be using to store your data. After scanning 2.7 million apps, security researchers at Appthority say more than 113GB of data is available through over 2,200 Firebase databases to anyone who knows the right URL. In total, there are over 100 million personal records exposed.

firebase-server-leak-2018.jpg?itok=HAMYd

Researchers found 28,500 apps that used Firebase to connect and store user details, of which 3,046 stored their data inside a misconfigured Firebase database that was readable through the use of a JSON URL scheme. The majority of the apps that use Firebase are for Android, but 600 apps that exposed data are for iOS. The problem is platform-agnostic, and the apps in question aren’t the culprit here. It’s simply the database configuration on the backend.

The information leaked contains:

  • 2.6 million plaintext passwords and user IDs.
  • 4 million+ PHI (Protected Health Information) records.
  • 25 million GPS records.
  • 50 thousand financial including Bitcoin transactions.
  • 4.5 million Facebook, LinkedIn, corporate data-store user tokens.

Appthority informed Google about the database configuration and provided the list of affected apps before this report was published. We’ve reached out to see if Google has anything they would like to add and will update once it’s received.

Appthority is no stranger to finding poorly configured online databases. Previously the company has found “critical” user data exposed through services like MongoDB, CouchDB, Redis, MySQL, and Twilio.

Advertisements
Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: