Monday, July 2, 2018

Millions of users’ data leaked through misconfigured Firebase backends

location data privacy fcm firebase

Millions of users' data have been leaked because of misconfigured Firebase backends, according to a report from Appthority. Around 113GB of data over 2,271 databases were exposed publicly as a result of being misconfigured. Firebase is a Backend-as-a-Service offering by Google which was reported to be the fastest growing SDK in 2017. The service is hugely popular amongst the top Android developers. It provides cloud messaging, push notifications, databases, analytics, advertising and a lot more that developers can utilize, all powered by Google's high-performance servers. However, it appears that many developers are misusing it.

According to the report, starting in January 2018, researchers scanned mobile apps which utilize Firebase for their back-end functionality. After scanning a little over 2.7 million iOS and Android applications, they found that around 28 thousand of these used Firebase. Of those apps, some 3,000 were leaking their data in a publicly viewable database that could be found by monitoring the app's communication with a server. What's more, the total downloads of these 3,000 applications exceeded 620 million, suggesting some very high profile applications are possible offenders too. The types of data that were leaked are below.

  • 2.6 million plaintext passwords and user IDs
  • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
  • 25 million GPS location records
  • 50 thousand financial records including banking, payment and Bitcoin transactions
  • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens

At present, there's no way to tell whether your data has also been leaked, but it's always safest to assume th and you should act accordingly. Apthority claims that they notified Google prior to publishing the report, providing the list of affected applications along with the links to the publicly viewable databases.

We can only hope that the list of applications will be released at a later date, as currently users are left in the dark as to whether their information is publicly viewable or not. While presumably trustworthy, eyes from both Google and the researchers will have seen the data. We recommend changing your passwords as a precaution until we find out more information.


Source: Appthority Via: Bleeping Computer



from xda-developers https://ift.tt/2z9lTYK
via IFTTT

No comments:

Post a Comment