Database security has caught the limelight as data breach incidents continue to escalate. Despite multiple warnings in the past to secure crucial databases with passwords, it appears that Firebase administrators have failed to follow the protocols and sensitive user data can still be found online.

What does the research say?

In a research project conducted in July, Avast found that around 19,300 Firebase databases from a total of 180,300 were left exposed to the internet without authentication.  
  • This accounts for 10.7% of the total Firebase databases that exposed data due to misconfiguration issues. 
  • For the uninitiated, Firebase is a cloud-hostage data storage system for most Android and iOS apps.

What’s the impact?

  • Due to the security lapse, a broad range of different lifestyle, workout, gaming, mail, and food delivery apps are at risk of leaking sensitive data to the public. 
  • The data exposed can include PII of users such as their names, addresses, location data, and in some cases, passwords. 
  • According to Vladimir Martyanov, a researcher at Avast, “Each one of these open instances is a data breach event waiting to happen and can pose critical business, legal and regulatory risks if they happen.”

The bigger picture

  • Apps are a convenient way to build business relationships for several organizations that include retailers, postal services, gyms, and charities. 
  • However, these apps can be a cause of reputational and financial damage if they are not taking security and privacy into consideration.

Recommended actions

Misconfigured databases are entirely avoidable. This is possible when developers stay informed about the potential risk of misconfigured databases and follow the best practices to secure them. Some of the recommended measures to secure Firebase databases include restricting admin access, storing passwords in an encrypted format, and implementing database security rules.

Cyware Publisher