This week, we take a look at how thousands of Android apps inadvertently exposed Google Firebase APIs, and how Arkansas Pandemic Unemployment Assistance (PUA) portal was leaking sensitive personal data. We also have a new pentesting tool for identifying data transformations used in APIs and apps, and a case study of four recent high-profile API breaches.
Vulnerability: Google Firebase
Google Firebase is a development platform for mobile apps. It claims to be used in over 1.5 million mobile apps to provide standard platform functions like authentication, cloud storage, messaging, and analytics.
Security researchers from Comparitech found unsecured API access to the Firebase cloud storage used by estimated 24,000 Android apps. The vulnerability is not really a vulnerability in Firebase itself, but how a lot of Android developers set up and use Firebase. It is also good to note that because Firebase is a cross-platform tool, the impact might not be limited to just Android.
Because the platform is cloud-based, there unfortunately is room for dire consequences if its security is configured poorly. The leaky deployments exposed REST APIs that allowed attackers to download end user data through GET requests, and even make changes to the data with PUT requests.
For app developers, the important lesson learned here is that whenever your app uses a cloud service, you as the developer are responsible for configuring the security for the access to that cloud service, in the most secure manner!
On the other had, service providers need to strive to make their systems secure by default and make insecure configurations impossible. At the very least, if there is a legitimate use case for such ..
Support the originator by clicking the read the rest link below.
