Apps with dodgy databases leak millions of user details — including plaintext passwords


Firebase on two devices.

  • Apps with misconfigured Firebase database servers have leaked 113GB of data, according to new research.
  • The apps leaked plain-text passwords, health records, financial records and other information.
  • The vulnerable apps were downloaded more than 620 million times, suggesting a few popular picks are affected by the issue.

Information belonging to millions of users has been leaked via apps with misconfigured Firebase databases, according to a new report by Appthority (h/t: XDA-Developers).

Firebase is one of the more popular mobile/web development platforms, powering app features like messaging, notifications, and authentication. Unfortunately, many developers aren’t doing the necessary legwork to secure user data related to the platform, Appthority noted.

The team sifted through 2.7 million Android and iOS apps, discovering that over 3,000 apps were leaking data from 2,300 unsecured servers. In hard numbers, Appthority said 100 million records (or 113GB of data) were leaked via these apps.

These records include 2.6 million plaintext passwords and IDs, over four million protected health information records, 25 million GPS location records, 50,000 financial records, and 4.5 million user tokens (e.g. Facebook, LinkedIn, Firebase).

What about affected apps?

The organization said the vulnerable Android apps were downloaded more than 620 million times, suggesting this isn’t limited to niche apps. Moreover, fitness and health apps had the most data leaked. This was particularly concerning, Appthority said, as medical data is considered more valuable than credit card numbers for fraud.

Editor’s Pick

related article

An introduction to Firebase – the easiest way to build powerful, cloud-enabled Android apps

Google I/O 2017 is rapidly approaching and taking a look at the scheduled sessions, it’s apparent that Firebase will be featuring heavily. This is something of a clue as to how Google views Firebase. In …

The team hasn’t disclosed which apps are affected, so there’s no real way to know whether your data is compromised. We’d recommend changing your passwords (though we realize that the affected apps could leak the new password too).

The team said they’ve notified Google about the issue, providing the company with a list of affected apps and database servers.

We’ve contacted Appthority for information on affected apps and will update the article when/if we get a response.

via Android Authority

July 3, 2018 at 02:35AM