Security researchers report that thousands of Android apps unknowingly leak billions of user data due to a Firebase database crack.
Security researchers from Comparitech claim that at least 24,000 Android applications have been leaking sensitive user data. The team adds that the leak appears to be unintentional. The main culprit appears to be an unpatched security crack in Google’s Firebase database.
Database leak
In total, Comparitech claims that they analyze more than 155,000 apps from the Google Play Store. According to the team, 11,730 of these apps use publicly exposed databases.
A closer look reveals that 4,282 of these apps are leaking sensitive user data into the public. This include username, passwords, email addresses, credit card information, and government-issued photo IDs.
Of the 11,730 apps that have exposed databases, 9,014 of them have to write permissions. This means that malicious hackers can essentially create, read, update, and delete data on the server.
The study claims that more than 30% of all apps on Google’s Play Store use Firebase. These recent figures only reveal a fraction of all apps that are currently on Play Store and those that use the platform.
Data mapping 101 ????
Check out this step-by-step tutorial where @peterfriese goes over how to easily map Firestore data in Swift with the Codable protocol.
Get started → https://t.co/TjLMET6ccr pic.twitter.com/zp2R4lMSsv
— Firebase (@Firebase) May 8, 2020
According to the researchers, they have already notified Google about the security breach. As a precautionary measure, Google says that it has notified all developers that are affected by that breach. The tech giant adds that it is also helping these developers to mend the issue.
The researchers claim that the breach springs from a simple Firebase database misconfiguration. Because of this, hackers can just add “.json” to the end of a Firebase domain and they can access and download the contents of these databases.
On the other hand, Google does not index these domains on its search engine as a security protocol. However, some search engines like Bing still index theses domains.
What is Firebase
Firebase is Google’s main development platform for mobile and web applications. The platform provides tools and suites which developers can use in developing their products. More than 1.5 million apps use Firebase as their main development platform.
Application developers can use a wide-range of Firebase tools to build their website or mobile app. Among the tools that platform provide are cloud storage, website hosting, user authentication, and real-time database solutions.
It is important to note that Firebase is not only limited to the development of Android apps. The platform is a popular backend solution for iOS app development as well.
Image courtesy of PixieMe/Shutterstock