Thursday, April 18, 2024

Firebase Vulnerability Leaks 100 Million Sensitive Records – 2300 Firebase Databases & 3,000 iOS and Android Apps Affected

By Balaji

Newly discovered highly critical Firebase Vulnerability named as HospitalGown affected over 2,300 unsecured Firebase Databases & 3,000 iOS and Android Apps which exposed around 100 million records.

Firebase Vulnerability affected Android apps alone downloaded more than 620 million times and this is one of the biggest vulnerability that discovered in Android Ecosystem.

This Firebase vulnerability HospitalGown occurs when app developers fail to require authentication to a Google Firebase cloud database.

Affected Apps are Listed in Multiple categories such as productivity, health, fitness, communication, cryptocurrency, finance, tools etc.

Firebase Vulnerability exposed enterprises data that belongs to United States, Europe, the United Kingdom, Argentina, Brazil, Singapore, Taiwan, New Zealand, India, and China.

Firebase is a mobile and web application development platform owned by Google and  Firebase provides a real-time database and backend as a service and Firebase is built on Google infrastructure and scales automatically, for even the largest apps.

The service provides application developers with an API that allows application data to be synchronized across clients and stored on Firebase’s cloud.

https://twitter.com/Appthority/status/1009135233176924160

Firebase Vulnerability Affected Report

This historical Firebase vulnerability “HospitalGown” caused a very critical ranging impact and various Organization is heavily affected around the World.

Tons of sensitive data’s are exposed which is related to data privacy regulations, to sensitive intellectual property and sales information, from data that can cause potential financial fraud, to PII.

Very Scary part of this Firebase Vulnerability is that it takes little effort for attackers to find open Firebase app databases. Once found, cybercriminals can gain access to millions of private mobile data app records.

Affected Threat Scope

  • 1 in 11 Android apps (9%) and almost half of iOS apps (47%) that connect
    to a Firebase database were vulnerable
  •  More than 3,000 apps were leaking data from 2,300 unsecured servers. Of these,
    975 apps were in active customer environments.
  • 1 in 10 Firebase databases (10.34%) are vulnerable
  •  Vulnerable Android apps alone were downloaded over 620 million times
  • Over 100 million records (113 gigabytes) of data was exposed

Apart from this researchers found that 62% of enterprises have at least one vulnerable app in their mobile environment.

This Firebase vulnerability leads to Exposed sensitive data from banks, telecoms, postal services, ride-sharing companies, hotels and educational institutions.

According to Appthority, Following Apps connected to unsecured Firebase databases have exposed more than 100 million data records, including:

  • 2.6 million plain text passwords and user IDs
  • 4 million+ PHI (Protected Health Information) records, including chat
    messages and prescription details
  • 25 million GPS location records
  • 50 thousand financial records including banking, payment and Bitcoin transactions
  • 4.5 million+ Facebook, LinkedIn, Firebase and corporate data store user tokens

How does this Firebase vulnerability Discover

A researcher from Appthority finds the technique to identifies insecure backend servers connecting to mobile apps at the beginning of this year.

Using the same technique they analyzed various apps and identified the back-end databases to which they were sending data and discovered that Firebase database was one of the top 10 most popular data stores for mobile apps.

Google Firebase database accessed by mobile apps through an API server accessible via “https://<Firebase project name>.firebaseio.com/.”
“Based on the research Hackers therefore need only make a simple web request (e.g.”https://docs-examples.firebaseio.com/.json”) to a blank “.json” database to view all unprotected data hosted. “

In this case, 2.7 million iOS and Android apps found on mobile devices in enterprises, identifying apps connected to “*.firebaseio.com”

Researchers uncovered sensitive data, including PII, plaintext passwords, private access tokens, vehicle license and registration numbers, and more leaked by the vulnerable apps.

complete Vulnerability report provided to Google by Appthority and it has been notified to Affected apps developers. you can download complete Firebase vulnerability analysis report here.

Also Read:

OnePlus 6 Bootloader Vulnerability Could allows Booting any Image even the Bootloader is Locked

Zero-Day Remote Code Execution Vulnerability Discovered in Microsoft Windows JScript

100 Million iOS Users Affected by ZipperDown Vulnerability that Existing in Thousands of iOS Apps

EFAIL Attacks – How PGP & S/MIME Vulnerability Leaked Encrypted Emails in Plain Text

Managed WAF Protection

Website

Latest articles

Vulnerability

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...
Cyber Attack

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...
Cyber Attack

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...
Android

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...
cyber security

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...
Cisco

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...
Cyber Crime

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]