Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases

                      Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.




The vulnerable Android apps alone were downloaded more than 620 million times.

Affected apps belong to multiple categories such as telecommunication, cryptocurrency, finance, postal services, ride-sharing companies, educational institutions, hotels, productivity, health, fitness, tools and more.

Researchers also provided a brief analysis, given below, of the obtained data they had downloaded from vulnerable applications.

• 2.6 million plaintext passwords and user IDs
• 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
• 25 million GPS location records
• 50,000 financial records including banking, payment and Bitcoin transactions
• 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens.

Researcher claims all this is happening at the first place because Google Firebase service does not secure user data by default, requiring developers to explicitly implement user authentication on all database rows and tables to protect their databases from unauthorized access.
"The only security feature available to developers is authentication and rule-based authorization," the researchers explain. What's worse? There are no "third-party tools available to provide encryption for it."

Researchers had already contacted Google and provided a list of all vulnerable app databases, and also contacted a few app developers helping them to patch this issue.
Also Read: World’s Smallest Computer Dwarfed By A Grain Of Rice: Just 0.3mm To A Side