Firebase App Vulnerability Exposes Millions of Users’ Data

Researchers with mobile security firm Appthority have disturbing news for iOS and Android mobile users: a vulnerability on the developers’ end exposed sensitive data collected via more than 1,000 common enterprise device apps. This exposed information, which included personal identifiable information, plain text passwords, and more, was compromised due to what experts are calling the Firebase vulnerability.

Similar to other previously discovered app vulnerabilities, this one occurred in relation to how the app “speaks” to the Google Firebase cloud database. Specifically, when authentication wasn’t required, any attacker could access information through the unsecured Firebase. Developers needed to initiate an additional step to require that authentication, but for too many apps, that step wasn’t put in place.

As a result, this vulnerability leaked around 100 million records from unsecured Firebase databases.

Appthority’s team isolated 28,502 mobile apps—more than 27,000 on the Android platform and another 1200-plus on iOS—that connected to a Firebase database. More than 3,000 were vulnerable because of this lack of authentication. Unfortunately, these numbers meant one out of every ten Firebase databases was left unsecured.

There is a wide variety of app categories involved in this finding, especially business-oriented apps like productivity tools, financial and business apps, and even dating app. The business users of these impacted apps include companies in banking, telecom, ride hailing, travel, and schools scattered through the US, Europe, South America, and Asia.

So what was exposed? Researchers found millions of plain text usernames and passwords, private health records, stored GPS coordinates to past locations, online payment and cryptocurrency activity records, and access to millions of users’ social media platforms.

It’s important for business device users to understand that this kind of vulnerability not only exists, but may even become more widespread based on the increasing numbers of Firebase users since it was launched. It’s worth noting that any vulnerability that exposes sensitive data from an enterprise account can mean the risk of violating regulatory compliance, regardless of how the information was leaked or who was responsible.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.