- Joined
- Jun 28, 2020
- Messages
- 6,614
- Reaction score
- 715
- Points
- 212
- Awards
- 2
More than 4,000 applications using Google Firebase are not properly protected.
More than 4 thousand Android applications that use Google Firebase cloud databases inadvertently disclose confidential information about their users, including email addresses, logins, passwords, phone numbers, full names, chat messages and location data.
Specialist Bob Diachenko from Security Discovery, together with Comparitech, found this out by analyzing more than 515 thousand Android applications.
“4.8% of mobile applications on the Google Play Store that use Firebase to store user data are not properly protected, allowing a potential attacker to gain access to databases containing personal information of users, access tokens and other insecure data without a password or any another authentication, ”explained experts
Firebase is a popular platform for developing mobile applications, offering developers various tools for creating programs, secure data storage, fixed Problems and user interactions through the messaging feature.
According to the researchers, since Firebase is a cross-platform tool, improper configuration can also affect iOS and web applications.
The full contents of the database, covering 4282 applications, includes more than 7 million email addresses, 4.4 million logins, 1 million passwords, 5.3 million phone numbers, 18.3 million full names, 6.8 million chat messages, 6, 2 million GPS data, 156 thousand IP addresses and 560 thousand real addresses.
During the analysis, experts also found 9 thousand applications with write permissions, potentially allowing an attacker to inject malicious data, damage the database and even install malware.
Incorrect Firebase configuration allows attackers to easily find and steal data. By simply adding “.json” to the end of the Firebase URL, an attacker can view and download the contents of vulnerable databases. Although Google removed vulnerable database URLs from search results back in 2021, they are still indexed by other search engines such as Bing.
__________________
More than 4 thousand Android applications that use Google Firebase cloud databases inadvertently disclose confidential information about their users, including email addresses, logins, passwords, phone numbers, full names, chat messages and location data.
Specialist Bob Diachenko from Security Discovery, together with Comparitech, found this out by analyzing more than 515 thousand Android applications.
“4.8% of mobile applications on the Google Play Store that use Firebase to store user data are not properly protected, allowing a potential attacker to gain access to databases containing personal information of users, access tokens and other insecure data without a password or any another authentication, ”explained experts
Firebase is a popular platform for developing mobile applications, offering developers various tools for creating programs, secure data storage, fixed Problems and user interactions through the messaging feature.
According to the researchers, since Firebase is a cross-platform tool, improper configuration can also affect iOS and web applications.
The full contents of the database, covering 4282 applications, includes more than 7 million email addresses, 4.4 million logins, 1 million passwords, 5.3 million phone numbers, 18.3 million full names, 6.8 million chat messages, 6, 2 million GPS data, 156 thousand IP addresses and 560 thousand real addresses.
During the analysis, experts also found 9 thousand applications with write permissions, potentially allowing an attacker to inject malicious data, damage the database and even install malware.
Incorrect Firebase configuration allows attackers to easily find and steal data. By simply adding “.json” to the end of the Firebase URL, an attacker can view and download the contents of vulnerable databases. Although Google removed vulnerable database URLs from search results back in 2021, they are still indexed by other search engines such as Bing.
__________________
