Security News 3,000+ mobile apps leaking data from unsecured Firebase databases

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Appthority published research on its discovery of a new HospitalGown threat variant that occurs when app developers fail to require authentication to Google Firebase databases.

... ... ....

Appthority security researchers discovered the HospitalGown vulnerability in 2017 which leads to data exposures, not due to any code in the app, but to the app developers’ failure to properly secure backend data stores (hence the name). The new Firebase variant exposes large amounts of mobile app-related data stored in unsecured Firebase databases.


Exposed data from the Firebase vulnerability includes personally identifiable information (PII), private health information (PHI), plaintext passwords, social media account and cryptocurrency exchange private access tokens, financial transactions, vehicle license plate and registration numbers, and more data leaking from vulnerable apps. To date, Appthority is the only mobile security vendor researching and protecting against these large scale back-end data exposures.


“The Firebase vulnerability is a significant and critical mobile vulnerability exposing vast amounts of sensitive data,” said Seth Hardy, Appthority Director of Security Research. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security.
Key findings

  • 3,000 mobile iOS and Android apps – over 620 million Android downloads, alone — are leaking data from 2,300 unsecured Firebase databases
  • Multiple app categories are impacted including tools, productivity, health and fitness, communication, cryptocurrency, finance and business apps
  • Most enterprises are impacted: 62% of enterprises have at least one vulnerable app in their mobile environment.
More than 100 million records are exposed, including:
  • 2.6 million plain text passwords and user IDs
  • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
  • 25 million GPS location records
  • 50,000 financial records including banking, payment and Bitcoin transactions
  • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top