The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.
"4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users' personal information, access tokens, and other data without a password or any other authentication," Comparitech said.
Acquired by Google in 2014, Firebase is a popular mobile application development platform that offers a variety of tools to help third-party app developers build apps, securely store app data and files, fix issues, and even engage with users via in-app messaging features.
With the vulnerable apps in question — mostly spanning games, education, entertainment, and business categories — installed 4.22 billion times by Android users, Comparitech said: "the chances are high that an Android user's privacy has been compromised by at least one app."
Given that Firebase is a cross-platform tool, the researchers also warned that the misconfigurations are likely to impact iOS and web apps as well.
The full contents of the database, spanning across 4,282 apps, included:
- Email addresses: 7,000,000+
- Usernames: 4,400,000+
- Passwords: 1,000,000+
- Phone numbers: 5,300,000+
- Full names: 18,300,000+
- Chat messages: 6,800,000+
- GPS data: 6,200,000+
- IP addresses: 156,000+
- Street addresses: 560,000+
Diachenko found the exposed databases using known Firebase's REST API that's used to access data stored on unprotected instances, retrieved in JSON format, by simply suffixing "/.json" to a database URL (e.g. "https://~project_id~.firebaseio.com/.json").
Aside from 155,066 apps having publicly exposed databases, the researchers found 9,014 apps with write permissions, thus potentially allowing an attacker to inject malicious data and corrupt the database, and even spread malware.
Complicating the matter further is the indexing of Firebase database URLs by search engines such as Bing, which exposes the vulnerable endpoints for anyone on the Internet. A Google search, however, returns no results.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
After Google was notified of the findings on April 22, the search giant said it's reaching out to affected developers to patch the issues.
This is not the first time exposed Firebase databases have leaked personal information. Researchers from mobile security firm Appthority found a similar case two years ago, resulting in the exposure of 100 million data records.
Leaving a database exposed without any authentication is an open invite for bad actors. It's therefore recommended that app developers adhere to Firebase database rules to secure data and prevent unauthorized access.
Users, for their part, are urged to stick to only trusted apps and be cautious about the information that's shared with an application.