Failure leaves user data vulnerable through thousands of Android and iOS apps
Appthority security researchers have discovered that there is a huge amount of applications that are with Firebase databases unprotected. In total, there are thousands of mobile applications on both iOS and Android that expose more than 100 million data records, such as plain text passwords, user IDs, location, and financial records such as bank and crypto-currency transactions.
Firebase is a Google service that has become one of the most popular development platforms for mobile applications by providing developers with a cloud-based database that stores information in JSON format and still synchronizes in real-time with all connected clients.
However, Firebase does not protect data by default, and developers need to do this manually, and if it is not done, the content becomes accessible to anyone who has knowledge on the subject.
However, Firebase does not protect data by default, and developers need to do this manually.
Appthority researchers have found that many application developers can not adequately protect their Firebase endpoints with firewalls and authentication, which leaves hundreds of gigabytes of their customers’ sensitive data accessible.
For Android only, vulnerable applications have been downloaded more than 620 million times. They integrate several categories, being able of being of communication, criptomoedas, finances, institutions of education, hotels, health, among others.
The company says that, among the data exposed are compromised 2.6 million passwords and user IDs, more than 4 million records of PGI (Protected Health Information), 25 million location registry, 50 thousand financial records, including banking, payment and Bitcoine, and more than 4.5 million tokens of Facebook users, LinkedIn, and corporate data.
According to the researchers, Google has already been reported on the problem.