sb-nz logo
Story image

Developers using Firebase urged to check configuration after leak exposed

12 May 2020

App development companies using Google’s Firebase tool have been warned to urgently check their configuration, as researchers from Comparitech found thousands of apps leaking personal information.

Firebase, a data storage solution for apps, is used by an estimated 30% of all apps on the Google Play store – and data from Comparitech’s study released today indicates that 4.8% of apps using Firebase are ‘not properly secured’.

This could potentially allow threat actors access to personally identifiable information, access tokens, and other data without a password or authentication. 

“Comparitech’s security research team led by Bob Diachenko examined 515,735 Android apps, which comprise about 18% of all apps on Google Play,” says Comparitech tech writer Paul Bischoff in a blog post on the Comparitech website.

“In that sample, we found more than 4,282 apps leaking sensitive information. If we extrapolate those figures, an estimated 0.83% of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total.”

Further research found that vulnerable applications have been installed 4.22 billion times by Android users. 

Email addresses were the most exposed asset, followed by usernames, passwords, phone numbers, and full names.

Comparitech reported that games were app category with the highest number of vulnerable apps, followed by education and entertainment.

Of the 155,066 Firebase apps analysed, 11,730 had publicly exposed databases, according to Comparitech.

9,014 of them included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.

If granted this access, attackers could use the information to inject nefarious data into an app, scam users, spread malware or corrupt the app database.

Comparitech then took the findings to Google. In response, a Google spokesperson said:

“Firebase provides a number of features that help our developers configure their deployments securely. 

“We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them. 

“We are reaching out to affected developers to help them address these issues.”

Comparitech exploited a common misconfiguration in an app’s resources to gain access to its stored data.

If the database is publicly exposed, attackers could simply add ‘.json’ to the end of a URL belonging to an app which uses Firebase – and this request will return the full contents of the database. 

“Some of the databases were too large for one download request, so researchers used a ‘shallow’ keyword option to limit the depth of the response, iterating only through keys and downloading the database chunk by chunk,” says Bischoff.

“To analyse data stored in exposed databases, researchers searched for patterns corresponding to sensitive information such as email addresses, phone numbers, passwords, secret tokens, etc. 

“They then manually checked collected information for false positives.”

Story image
Why IT and HR must work together to help businesses weather the storm
Employers are striving to balance team productivity, security and employee engagement. If remote work is the new norm, it’s impossible to ignore the challenging nature of the situation, writes Gigamon manager for A/NZ George Tsoukas.More
Story image
Video: 10 Minute IT Jams - Who is LogRhythm?
LogRhythm VP of sales for Asia Pacific Simon Howe, who discusses the company's primary offerings and services, what products the company is focused on for the future, and the infrastructure it has in the A/NZ market.More
Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More
Story image
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings
“Combining Managed Sentinel’s Azure Sentinel deployment expertise with BlueVoyant’s MDR capabilities will help customers operationalise and maximise Microsoft security technologies."More
Story image
Acronis expands global data centre network, including new facilities in NZ
The expansion ensures that the full range of Acronis Cyber Protection Solutions will be available to partners and organisations around the world.More
Story image
IDC survey: Nearly 1/3 of data-ransomed businesses pay up
A Rubrik-commissioned A/NZ survey by IDC finds that despite only 6% saying they would pay ransomware attackers, the reality is quite different.More