sb-as logo
Story image

Developers using Firebase urged to check configuration after leak exposed

12 May 2020

App development companies using Google’s Firebase tool have been warned to urgently check their configuration, as researchers from Comparitech found thousands of apps leaking personal information.

Firebase, a data storage solution for apps, is used by an estimated 30% of all apps on the Google Play store – and data from Comparitech’s study released today indicates that 4.8% of apps using Firebase are ‘not properly secured’.

This could potentially allow threat actors access to personally identifiable information, access tokens, and other data without a password or authentication. 

“Comparitech’s security research team led by Bob Diachenko examined 515,735 Android apps, which comprise about 18% of all apps on Google Play,” says Comparitech tech writer Paul Bischoff in a blog post on the Comparitech website.

“In that sample, we found more than 4,282 apps leaking sensitive information. If we extrapolate those figures, an estimated 0.83% of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total.”

Further research found that vulnerable applications have been installed 4.22 billion times by Android users. 

Email addresses were the most exposed asset, followed by usernames, passwords, phone numbers, and full names.

Comparitech reported that games were app category with the highest number of vulnerable apps, followed by education and entertainment.

Of the 155,066 Firebase apps analysed, 11,730 had publicly exposed databases, according to Comparitech.

9,014 of them included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.

If granted this access, attackers could use the information to inject nefarious data into an app, scam users, spread malware or corrupt the app database.

Comparitech then took the findings to Google. In response, a Google spokesperson said:

“Firebase provides a number of features that help our developers configure their deployments securely. 

“We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them. 

“We are reaching out to affected developers to help them address these issues.”

Comparitech exploited a common misconfiguration in an app’s resources to gain access to its stored data.

If the database is publicly exposed, attackers could simply add ‘.json’ to the end of a URL belonging to an app which uses Firebase – and this request will return the full contents of the database. 

“Some of the databases were too large for one download request, so researchers used a ‘shallow’ keyword option to limit the depth of the response, iterating only through keys and downloading the database chunk by chunk,” says Bischoff.

“To analyse data stored in exposed databases, researchers searched for patterns corresponding to sensitive information such as email addresses, phone numbers, passwords, secret tokens, etc. 

“They then manually checked collected information for false positives.”

Story image
A third of millennials think they're 'too boring' to be victim of cyber attack
While many millennials are concerned at how their data is being used and whether they are being targeted by cyber-attackers, according to Kaspersky any potential action taken to tighten their online security is at ‘the bottom of their to-do list’.More
Story image
Attivo Networks integrates with FireEye for advanced threat protection
The combined solution is designed to reduce time and resources required to detect and block attacks, while also collecting forensics to help organisations avoid future attacks. More
Story image
80% of security breaches involve exposure of customer data - IBM
The new report from IBM indicates that 80% of surveyed organisations reported having exposed customers’ personally identifiable information (PII) as a result of a breach.More
Story image
Internet outages drastically increased during COVID-19 lockdowns, report finds
Global internet disruptions increased 63% in March, with internet service providers hit the hardest. This is according to the 2020 Internet Performance Report from ThousandEyes, the internet and cloud intelligence company.More
Download image
Is your head in the sand? Only 60% of firms believe an email could trigger a cyber attack
Where would the world be without the humble email? It's an important tool - and a weapon.More
Story image
Interview: Microsoft's Ann Johnson on digital empathy and zero trust
“Digital empathy means creating an environment and rolling out tools that are forgiving of employee mistakes,” Johnson explains.More