Thousands of mobile apps have critical vulnerability in their Firebase database

Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications. The database has been found to expose over 100 million data records, including plain text passwords, user IDs, location. The app data also shows financial records including banking and cryptocurrency transactions in case of some applications.

Firebase, acquired by Google in 2014, is one of the most popular platform for back-end development of mobile and web applications. It offers a cloud-based database to developers and stores the data in JSON format. The database is synced in real-time with all connected clients. According to Hacker News, the researchers from mobile security firm Appthority discovered that many app developers failed to properly secure their back-end built using Firebase.

Also Read: Android P gets a new biometric authentication API, Google Says

It says these back-end Firebase endpoints are not protected by firewalls or authentication system and leave hundreds of gigabytes of sensitive app user data publicly accessible to anyone. The researchers scanned over 2.7 million apps and found that more than 3,000 app were susceptible to data theft. They say 2,446 of these apps are on Android while 600 apps are on iOS. They have been found to be leaking a whole 2,300 databases with more than 100 million records with the potential breach of over 113 gigabytes of data.

Exploiting the firebase database seems rather easy. The platform offers app developers an API server and in order to access databases hosted on the service, attackers need to just add “/.json” with a blank database name at the end of the host name. The researchers claim that these vulnerable Android apps were alone downloaded more than 620 million times.

The affected apps belong to multiple categories including telecommunication, cryptocurrency, finance, postal services, ride-sharing, education, productivity, health and fitness, hotels among others. The vulnerable apps are giving away 2.6 million User IDs and passwords in plain text, 25 million GPS location records, 4.5 million+ Facebook, LinkedIn, Firebase and corporate data store user token and 4 million+ PHI (Protected Health Information) records.

Firebase does not secure user data hosted on its platform by default and rather requires developers to implement user authentication. The researchers claim that they have already contacted Google and have provided a list of all vulnerable app databases. They have also contacted few app developers, offering help to patch this issue.