The total number of impacted Android apps’ users is around 24,000.
With the rise of smartphone adaptation in the previous decade, a range of tools were developed to aid developers in building apps. One such tool happens to be Firebase, a Google-owned development platform used by over 1.5 million apps representing 30% of all apps on the Play Store.
It is used to provide various functions such as cloud storage, A/B testing, analytics, and even predictive capabilities. In relation to it, a couple of days ago, Comparitech, a security firm has come up with an alarming revelation detailing that up to 24000 Android apps may be at risk because of certain misconfiguration on the databases stored on the platform.
These can allow threat actors to gain access to the personal data of the users of these apps along with access tokens which can enable unauthorized logins.
See: Welp – Google sent your photos & videos to strangers
The misconfiguration allows an attacker to add “.json to the end of a Firebase URL” and hence view all the content contained within the database with the help of simple search engine search results.
An example is “https://.firebaseio(dot)com/.json” as elaborated by the researchers. Further, they state, “If the database is publicly exposed, this request will return the full contents of the database. Otherwise, it returns an “access denied” message.” These results though are not possible on Google itself as they stopped displaying them back in December 2019, but they are still available on Bin ..
Support the originator by clicking the read the rest link below.
