New variant of HospitalGown vulnerability spotted in scores of Android and iOS apps

A new variant of the HospitalGown vulnerability has been discovered by security researchers. The HospitalGown flaw is now caused by any malicious code, but by the failure of app developers to secure backend servers. The vulnerability leaves enterprises open to a potential breach, data theft and more.

The new HospitalGown variant has already significantly impacted both Android and iOS users.

The flaw occurs when app developers fail to require authentication to a Google Firebase cloud database. Although Firebase is one of the most popular mobile backend database technologies used for mobile apps, it does not secure users by default. It doesn’t provide third-party encryption tools and also doesn’t conduct any security checkups.

“To secure data properly, developers need to specifically implement user authentication on all database tables and rows, which rarely happens in practice. Moreover, it takes little effort for attackers to find open Firebase app databases and gain access to millions of private mobile data app records,” security researchers at Appthority, who discovered the new vulnerability, wrote in a report.

The Firebase vulnerability has already impacted numerous organizations across various industries globally. According to Appthority researchers, over 22,000 Android apps and over 1,200 iOS apps are connected to Firebase. Additionally, around 47% of the connected iOS apps and 9% of the Android apps are vulnerable.

Researchers said over 3,000 Android and iOS apps from 2,3000 unsecured Firebase databases are leaking data. Alarmingly, the leaking Android apps have so far been downloaded nearly 620 times.

The vulnerability has also exposed around 100 million records. The data exposed includes 2.6 million user IDs and plaintext passwords, 25 million GPS records, over 4.5 million Facebook, LinkedIn, Firebase, and corporate data store user tokens, 50 thousand financial records including banking, payment and Bitcoin transactions and over 4 million Protected Health Information (PHI) records.

“The Firebase vulnerability is a significant and critical mobile vulnerability exposing vast amounts of sensitive data,” Seth Hardy, Appthority Director of Security Research, said in a statement. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security.

“To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities.”