3,000 mobile iOS and Android apps are leaking personal, payment and business information from unsecured Firebase databases, researchers at Appthority have found.
The researchers found that a vulnerability they call HospitalGown, in which app developers fail to require authentication to a Google Firebase cloud database, has affected 2,300 databases, resulting in the exposure of personal and payment data. 1 in 11 Android apps (9%) and almost half of iOS apps (47%) that connect to a Firebase database were found to be vulnerable.
Appthority says that multiple categories of app are impacted, including productivity tools, health and fitness, communication, finance and business applications. Health and fitness apps leaked the most data, but 40% of vulnerable apps installed were business-related, meaning there is a risk of intellectual property and re-used credentials being exposed as well as personally identifiable/sensitive information.
The research indicates that more than 100 million records were exposed as a result of the vulnerability, including 2.6 million plain text passwords, over 4 million protected health information records, 25 million GPS location records, 50,000 financial records, and over 4.5 million Facebook, LinkedIn, Firebase and corporate data store user tokens. Other information, such as emails, phone numbers, license plates and more, was also exposed, with a total of over 113 GB of data leaked altogether.
The company claims that 62% of enterprises have at least one vulnerable app in their mobile environment, with enterprises in the United States, Europe, the United Kingdom, Argentina, Brazil, Singapore, Taiwan, New Zealand, India, and China impacted by the vulnerabilities.
They point out that because of the way the data is stored, accessing the unsecured databases is extremely simple: all that a hacker needs do is append ‘/.json’ to the URL of the unsecured database’s server (i.e. https://[appname].firebaseio.com/.json).
The vulnerability was first discovered in May 2017. Appthority says that it has notified Google and provided a list of the affected apps. It has also notified the developer of any apps it names in its report and ensured that the vulnerability has been remedied.
The full report can be accessed here (PDF).