Appthority published research on its discovery of a new HospitalGown threat variant that occurs when app developers fail to require authentication to Google Firebase databases.
... ... ....
Appthority security researchers discovered the HospitalGown vulnerability in 2017 which leads to data exposures, not due to any code in the app, but to the app developers’ failure to properly secure backend data stores (hence the name). The new Firebase variant exposes large amounts of mobile app-related data stored in unsecured Firebase databases.
Exposed data from the Firebase vulnerability includes personally identifiable information (PII), private health information (PHI), plaintext passwords, social media account and cryptocurrency exchange private access tokens, financial transactions, vehicle license plate and registration numbers, and more data leaking from vulnerable apps. To date, Appthority is the only mobile security vendor researching and protecting against these large scale back-end data exposures.
“The Firebase vulnerability is a significant and critical mobile vulnerability exposing vast amounts of sensitive data,” said Seth Hardy, Appthority Director of Security Research. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security.