sb-as logo
Story image

Developers using Firebase urged to check configuration after leak exposed

12 May 2020

App development companies using Google’s Firebase tool have been warned to urgently check their configuration, as researchers from Comparitech found thousands of apps leaking personal information.

Firebase, a data storage solution for apps, is used by an estimated 30% of all apps on the Google Play store – and data from Comparitech’s study released today indicates that 4.8% of apps using Firebase are ‘not properly secured’.

This could potentially allow threat actors access to personally identifiable information, access tokens, and other data without a password or authentication. 

“Comparitech’s security research team led by Bob Diachenko examined 515,735 Android apps, which comprise about 18% of all apps on Google Play,” says Comparitech tech writer Paul Bischoff in a blog post on the Comparitech website.

“In that sample, we found more than 4,282 apps leaking sensitive information. If we extrapolate those figures, an estimated 0.83% of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total.”

Further research found that vulnerable applications have been installed 4.22 billion times by Android users. 

Email addresses were the most exposed asset, followed by usernames, passwords, phone numbers, and full names.

Comparitech reported that games were app category with the highest number of vulnerable apps, followed by education and entertainment.

Of the 155,066 Firebase apps analysed, 11,730 had publicly exposed databases, according to Comparitech.

9,014 of them included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.

If granted this access, attackers could use the information to inject nefarious data into an app, scam users, spread malware or corrupt the app database.

Comparitech then took the findings to Google. In response, a Google spokesperson said:

“Firebase provides a number of features that help our developers configure their deployments securely. 

“We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them. 

“We are reaching out to affected developers to help them address these issues.”

Comparitech exploited a common misconfiguration in an app’s resources to gain access to its stored data.

If the database is publicly exposed, attackers could simply add ‘.json’ to the end of a URL belonging to an app which uses Firebase – and this request will return the full contents of the database. 

“Some of the databases were too large for one download request, so researchers used a ‘shallow’ keyword option to limit the depth of the response, iterating only through keys and downloading the database chunk by chunk,” says Bischoff.

“To analyse data stored in exposed databases, researchers searched for patterns corresponding to sensitive information such as email addresses, phone numbers, passwords, secret tokens, etc. 

“They then manually checked collected information for false positives.”

Story image
Why best-practice threat data management provides confident automation
Understanding an organisation’s threat landscape requires having both the right threat data sources and the proper prioritisation to derive actionable threat intelligence for your organisation. More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More
Story image
Research: Younger cybersecurity pros more fearful of being replaced by AI
According to the findings, 53% of respondents under 45 years old either agreed or strongly agreed that AI and ML are a threat to their job security, despite 89% of this demographic believing that it would improve their jobs.More
Story image
Entrust launches cloud-based ID issuance solution
The Sigma instant ID solution uses encryption, trusted HSM technology and secure boot to issue highly secure physical and mobile identities.More
Story image
Juniper Networks expands security offering for remote working
Juniper Networks has launched new solutions to enhance work from home security.More
Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More