Sensitive data exposed by apps based on cloud-hosted Firebase

It was found that more than 24,000 Android apps in the Google Plat store that use Google's cloud-hosted Firebase databases are exposing sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, credit cards, chat messages and location data.

"4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users' personal information, access tokens, and other data without a password or any other authentication," Comparitech said. Many of the leaky apps are quite popular, with 4.22 billion collective downloads. The apps affected are in popular categories: games, education, entertainment, and business. Content of millions databases are visible using a simple trick. The researchers also found 9,014 apps with write permissions, thus potentially allowing an attacker to inject malicious data and corrupt the database, and even spread malware. More, the Firebase database URLs are indexed by some search engines such as Bing, which exposes the vulnerable endpoints for anyone on the Internet.

Exposed database

This is even not the first time when exposed Firebase databases have leaked personal information. For a minimum prevention, users must  don’t link their apps and accounts together if don’t have to and use trustworthy antimalware and antivirus apps. They will at least reduce the chances of downloading malicious files and software on user’s device.