More than 4,000 Android apps that use Google's cloud-hosted Firebase databases are 'unknowingly' leaking sensitive information.

Stopspying

Level 19
Thread author
Verified
Top Poster
Well-known
Jan 21, 2018
814
"More than 4,000 Android apps that use Google's cloud-hosted Firebase databases are 'unknowingly' leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.

The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.

"4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users' personal information, access tokens, and other data without a password or any other authentication," Comparitech said."

More on this - Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases

There was a similar security issue with Firebase in 2018 - Security Alert - 3,000+ mobile apps leaking data from unsecured Firebase databases
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
If it's easy to get wrong, then it's developed to be insecure by default.
This question from a developer who got a warning email from Google received an answer from Firebase engineer Frank van Puffelen, who explained that simply requiring authentication is insufficient.

"If you enable any auth provider in Firebase Authentication, anyone can sign in to your back-end, even without using your app. Depending on the provider, this can be as easy as running a bit of JavaScript in your browser's developer console. And once they are signed in, they can read and write anything in your database."

Firebase configuration is, it seems, easy to get wrong.
It's quite common that these server services are misconfigured leaking all sorts of sensitive data, Amazon, Google and others all enjoy this.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top