sb-eu logo
Story image

Developers using Firebase urged to check configuration after leak exposed

12 May 2020

App development companies using Google’s Firebase tool have been warned to urgently check their configuration, as researchers from Comparitech found thousands of apps leaking personal information.

Firebase, a data storage solution for apps, is used by an estimated 30% of all apps on the Google Play store – and data from Comparitech’s study released today indicates that 4.8% of apps using Firebase are ‘not properly secured’.

This could potentially allow threat actors access to personally identifiable information, access tokens, and other data without a password or authentication. 

“Comparitech’s security research team led by Bob Diachenko examined 515,735 Android apps, which comprise about 18% of all apps on Google Play,” says Comparitech tech writer Paul Bischoff in a blog post on the Comparitech website.

“In that sample, we found more than 4,282 apps leaking sensitive information. If we extrapolate those figures, an estimated 0.83% of all Android apps on Google Play leak sensitive data through Firebase. That’s roughly 24,000 apps in total.”

Further research found that vulnerable applications have been installed 4.22 billion times by Android users. 

Email addresses were the most exposed asset, followed by usernames, passwords, phone numbers, and full names.

Comparitech reported that games were app category with the highest number of vulnerable apps, followed by education and entertainment.

Of the 155,066 Firebase apps analysed, 11,730 had publicly exposed databases, according to Comparitech.

9,014 of them included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.

If granted this access, attackers could use the information to inject nefarious data into an app, scam users, spread malware or corrupt the app database.

Comparitech then took the findings to Google. In response, a Google spokesperson said:

“Firebase provides a number of features that help our developers configure their deployments securely. 

“We provide notifications to developers about potential misconfigurations in their deployments and offer recommendations for correcting them. 

“We are reaching out to affected developers to help them address these issues.”

Comparitech exploited a common misconfiguration in an app’s resources to gain access to its stored data.

If the database is publicly exposed, attackers could simply add ‘.json’ to the end of a URL belonging to an app which uses Firebase – and this request will return the full contents of the database. 

“Some of the databases were too large for one download request, so researchers used a ‘shallow’ keyword option to limit the depth of the response, iterating only through keys and downloading the database chunk by chunk,” says Bischoff.

“To analyse data stored in exposed databases, researchers searched for patterns corresponding to sensitive information such as email addresses, phone numbers, passwords, secret tokens, etc. 

“They then manually checked collected information for false positives.”

Story image
Google and Amazon overtake Apple as most imitated brands - Check Point
Google and Amazon were the most imitated brands in phishing attempts for the second quarter of 2020, according to Check Point. More
Story image
Just 6,000 accounts responsible for over 100,000 email attacks - report
Barracuda has today released a report detailing how 6,170 malicious accounts that use Gmail, AOL, and other email services were responsible for more than 100,000 business email compromise (BEC) attacks on nearly 6,600 organisations. More
Story image
Network security and ADC market to reach $19 billion by 2024
The ongoing COVID-19 pandemic will continue to impact the market both negatively and positively throughout 2020 and into the first half of 2021.More
Story image
AWS launches fully-managed fraud detection service
Businesses lose billions of dollars to online fraud every year, however businesses respond by investing in cumbersome fraud management solutions that often rely on hand-coded rules and are difficult to keep up to date.More
Story image
Video: 10 Minute IT JamsAttivo Networks on threat detection using deception
Attivo Networks is a US-based technology vendor in the cybersecurity space. The company focuses on threat detection and deception.More
Story image
HPE powers Edinburgh International Data Facility
“In the data-centric era deriving insights and value from across multiple datasets will be a key to success for business and government alike. We look forward to boosting the UK’s capacity for data-driven innovation through this initiative.”More