Security researchers in the analysis found that more than 4,000 Android apps that are using Google cloud-hosted Firebase are unknowingly exposing users to sensitive information including usernames, passwords, full name, chat messages, and phone numbers.
Firebase is a mobile and web application development platform that was developed by Firebase in 2011 and acquired by Google in 2014. The platform helps third party developers by offering a variety of tools to build apps, securely store app data and files, engage with users through messaging features.
The security team that leads by Bob Diachenko from Security Discovery with Comparitech had examined over 515,735 Android apps from Play Store.
More than 4,282 Android apps were leaking sensitive data, that is an estimate of 0.83% of all applications from Google Play leak sensitive data through Firebase.
Comparitech said
Firebase is a cross-platform tool used across several operating systems and platforms, researchers also said that the misconfiguration also impacts Android, IOS as well as web apps.
Firebase Exposed data
The exposed data includes:
- E-mail addresses: 7,000,000+
- Usernames: 4,400,000+
- Passwords: 1,000,000+
- Phone numbers: 5,300,000+
- Full Name: 18,300,000+
- Chat messages: 6,800,000+
- GPS data: 6,200,000+
- IP addresses: 156,000+
- Street addresses: 560,000+
Researchers also found credit card numbers and photos of government-issued identification.
Scrubs exposed databases from search results
The researchers use Firebase’s REST API to access the stored database through the search by appending .json in the URL
For example https://.firebaseio.com/.json
After analysing 11,730 publicly exposed databases researchers found that 9,014 databases also include write permissions which can allow unauthenticated attackers to modify, add and delete the whole database.
The exposed database could allow an attacker to:
- Inject data into an application
- Scam peoples through Phishing
- Spread malware
- Corrupt database of the application
After the investigation was completed Google was notified of the findings with detail report.
Guidelines to be followed by Developers:
- Follow Google’s own Firebase documentation.
- Prevent unauthorized users to access the database
- Never store passwords in Plain Text
Guidelines to be followed by Users
- Never use the same passwords in multiple platforms
- Do not share sensitive information such as government ID, Social Security numbers, etc.
- Use only trusted apps