Thousands of Android Apps leak user information of millions of users including payment card data due to Firebase misconfigurations
These are depressing times. With the coronavirus pandemic lockdown affecting the whole world, lot of mistakes are being committed. Some of these mistakes are harmless but some like the Digital Ocean developers error can leak users data and cause serious harm.
A similar misconfiguration error can impact millions of Android smartphone users around the world. Comparitech security researchers have discovered that a misconfigured Firebase key can leak user data of thousands of Android Apps distributed through Google Play.
What is Firebase and why does Google use it?
Google Firebase is a Google-backed application development software that enables developers to develop iOS, Android and Web apps. Firebase provides tools for tracking analytics, reporting and fixing app crashes, creating marketing and product experiment.Firebase was launched in 2011 and acquired by Google in 2014. It is used by Google for authentication, hosting, cloud storage, analytics, messaging, and more.
Nearly half of the Apps on Google Play use Firebase to store user data. As per Comparitech, nearly 4.8% of all smartphone apps using Firebase are believed to be leaking personal information, access tokens, and other types of data.
Comparitech researchers said that misconfigurations in Firebase could jeopardize data of millions of users who use the Android apps. Their report, published here details that nearly 4,282 Apps listed on Google Play are leaking information due to this misconfiguration.
Comparitech analyzed 515,735 Android applications in Google Play and found 4,282 apps that leak sensitive information due to Firebase misconfiguration. “If we extrapolate those figures, an estimated 0.83 percent of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total,” the researchers state in the blog post.
You can imagine the scale of the data leak as the total downloads of the misconfigured Apps exceeded 4.22 billion. And, these figures are just for Google play. Third-party App stores could be leaking similar data according to the researchers. These misconfigurations likely impact many more apps beyond Android operating system.
Comparitech found that the exposed data included the following:
- E-mail addresses: 7,000,000+
- Usernames: 4,400,000+
- Passwords: 1,000,000+
- Phone numbers: 5,300,000+
- Full Name: 18,300,000+
- Chat messages: 6,800,000+
- GPS data: 6,200,000+
- IP addresses: 156,000+
- Street addresses: 560,000+
In addition to the above, the researchers also found that the leak exposed payment card data and photos of government-issued identification of millions of users exposed.
“Of the 155,066 Firebase apps analyzed, 11,730 had publicly exposed databases. 9,014 of them even included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it,” Comparitech says.
Comparitech reached out to Google and this is what Google had to say about the massive data leak:
Firebase provides a number of features that help our developers configure their deployments securely. We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them. We are reaching out to affected developers to help them address these issues.
This is not the first time, Firebase has been found leaking information. In 2018, Appthority researchers found Firebase leaking similar information of over 3,000 Android and iOS applications. At that time, researchers said that Firebase had leaked 100 million records (113 gigabytes of data) from Firebase databases. Only this time, the data cache seems to be much bigger.