According to an investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, found Google’s cloud-hosted Firebase databases are ‘unknowingly’ exposing sensitive user information.
This investigation analysed more than 515,735 Android apps, which comprise about 18 percent of all apps on Google Play store and found 4,282 apps that leak email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.More than 9,014 of exposed databases even included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.
Firebase is a popular mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014. As of March 2020, the Firebase platform has 19 products, which are used by more than 1.5 million apps.
The vulnerable applications are mostly spanning games, education, entertainment,business categories and installed 4.22 billion times by Android users all over the world.Average smartphone user has in between 60 and 90 apps installed, chances are high that an Android user’s privacy has been compromised by at least one app.As Firebase is a cross-platform tool, the researchers also warned that the misconfigurations are likely to impact on iOS and web apps as well.
Here the researchers examined each app’s resources for strings of text indicating that Firebase is being used, such as those ending in “.firebaseio.com”.As Firebase provides simple REST API to access data that stored in JSON format, publicly available databases can be accessed by making a request to the database URL appended by “.json”. (ex : https://.firebaseio.com/.json)
If the database is publicly available,then this kind of request simply return the database content.Otherwise, it returns an “access denied” message to the client.Although some databases are huge, so researchers used “shallow” keyword option to limit the depth of the response, iterating only through keys and downloading the database chunk by chunk.Also they tried to create and remove new nodes in the exposed databases with PUT and DELETE requests to check for ‘write’ access rule.
To analyze data stored in exposed databases, researchers searched for patterns corresponding to sensitive information such as email addresses, phone numbers, passwords, secret tokens, etc. Then they manually checked collected information for false positives.
After Google was notified of the findings on April 22, the search giant said it’s reaching out to affected developers to patch the issues. Furthermore researchers recommend developers to implement proper Firebase Database Rules,prevent unauthorized users from accessing sensitive information and not to store passwords in plain text.