Developers Not Sticking to Firebase Guidelines Risking Personal Data of Millions

The mayhem caused by Shiney Hunters groups to multiple organizations was still afresh when a researcher reported roughly 24,000 Android apps leaking user data.

What exactly happened?

Security researchers at Comparitech discovered misconfigured Google Firebase databases allowing attackers to find and steal data form storage. Firebase is a mobile and web application development platform with SDKs for multiple platforms, including Android, iOS, web, C++, and Unity (for games).

Key insights from the report

  • The team revealed that an estimated 30% of all apps on the Google Play Store use Firebase.
  • The security team reviewed about 18% of apps in the Play store and found 4,282 apps leaking sensitive information.
  • 4.8 percent of mobile apps that use Firebase to store user data are not properly secured. 
  • These databases containing users’ information, access tokens, and other data without any password protection.
  • Going by the Google Play category, game apps topped the list in exposing databases, followed by education apps, entertainment, business, and travel, in that order.

Access to database

As surprising as it can get, no complex hacking skills were required to pilfer data.
  • To find Firebase URLs, experts sought each app's resources for text strings ending ".firebaseio[.]com."
  • They added '.json' to the end of the Firebase URL to expose the contents of vulnerable databases. Anyone could have done that, told experts.
  • Exposed data included email addresses, phone numbers, usernames, passwords, addresses, chat messages, GPS data (in case the address is not enough), and more.
  • There were also a few exposures of passport data, credit cards, and "photos of government-issued identification."

Insecurities with Firebase

Everything aside, it not the first time that the security of Firebase databases is in question.
  • In 2018, a report discovered that some 3,000 iOs and Android apps were leaking nearly 113 GB of unprotected data extended over 2,271 databases.
  • Other misconfigured database report from this year revealed that 82% of vulnerabilities are caused due to a misconfiguration issue.

Types of attacks possible

Other than just viewing and downloading data, hackers can also spin up attacks. Here’s what all can they do:
  • Spreading malware.
  • Manipulating an application. For example, adding a fake headline to an established news app.
  • Phishing and scamming application users.
  • Corrupting the application database.

Closing lines

The researchers have advised developers to secure their Firebase configurations, implement proper database rules, and not securing password in plain text. Users shall avoid the repetition of similar passwords, download only trusted and high-rated applications, and never share more than needed personal information on apps.