Hundreds of iOS apps leaking data due to misconfigured Firebase backends, report says

Posted:
in General Discussion edited June 2018
Some 2,200 unsecured Firebase databases have caused more than 3,000 iOS and Android apps to leak user data, exposing over 100 million records including plaintext passwords, health information, GPS location data and more, security researchers say.

Appthority's HospitalGown report


According to a new report from the mobile app security firm Appthority, called the Q2 2018 Enterprise Mobile Threat Report, the issue is caused by a new variant of what is dubbed the "HospitalGown vulnerability." HospitalGown, cheekily named because it deals with data "leaking through backend data stores," was first pinpointed by the Appthority Mobile Threat Team in 2017.

Now, Appthority reports that the problem is occurring when app developers opt not to require authentication for Google Firebase cloud databases, something that is not done by default when developers use the popular development tool.

Appthority found that of the 1,275 iOS apps using a Firebase database, 600 were vulnerable. Overall, more than 3,000 apps were leaking data from 2,271 misconfigured databases. And among the data leaked are 2.6 million plain text passwords and user IDs, more than 4 million Protected Health Information records, and 50,000 financial records.

"To secure data properly, developers need to specifically implement user authentication on all database tables and rows, which rarely happens in practice," Appthority writes in the report. "Moreover, it takes little effort for attackers to find open Firebase app databases and gain access to millions of private mobile data app records.

Appthority's numbers


As noted by Bleeping Computer, which reported on the findings last week, Firebase is a Google product that contains backend tools for creating mobile apps. In use by many Android developers, some iOS apps also rely on the service to store and analyze data. Appthority evaluated 2.7 million iOS and Android apps to identify 28,502 mobile apps -- 27,227 Android and 1,275 iOS -- that stored data in Firebase backends.

Appthority also found that as Firebase use has grown, the amount of vulnerable apps has as well. In 2017, of the 53,010 apps using Firebase DB, 4,578 (9 percent), were vulnerable.

Appthority recommends that developers protect their data more effectively.

"You'll need to perform a thorough security review of internal apps developed by third parties, in-house developed apps, and public apps available for employee productivity," Appthority writes in the report. "You may have difficulty achieving visibility into data exposed by this threat in EMM published enterprise and public apps without an automated MTD solution focused on app threats and backend vulnerabilities, such as Appthority Mobile Threat Protection."

Google has been notified of the issue and provided a list of impacted apps and servers.
Alex1Nronn
«13

Comments

  • Reply 1 of 54
    chasmchasm Posts: 3,274member
    “Firebase is a Google product.” Nuff said, really ...

    EDIT: to clarify my meaning a bit -- Google is responsible for this product being so exploitable, but having said that this was not the default setting, and so one must assume the devs that opted not to require authentication did so deliberately in order to benefit themselves or others with this exploit.
    edited June 2018 rob53spinnydolsAlex1NronncornchipberndogMuntzlamboaudi4watto_cobra
  • Reply 2 of 54
    HeliBumHeliBum Posts: 129member

    Yep, leaking private information and Google are synonymous.


    Anybody know where to find the list of affected apps?

    edited June 2018 macseekerrob53spinnydsupadav03Alex1Nronnracerhomie3cornchipMuntzlamboaudi4
  • Reply 3 of 54
    That's not a bug....
    mac_dogrob53Alex1NronncornchipStrangeDayslamboaudi4lostkiwiwatto_cobrajony0
  • Reply 4 of 54
    rob53rob53 Posts: 3,241member
    That's not a bug....
    ... it’s a feature. 

    Finished it the way we all know. 
    Alex1NRayz2016StrangeDayslamboaudi4lostkiwiwatto_cobrajony0
  • Reply 5 of 54
    boboliciousbobolicious Posts: 1,139member
    ...is the simplest way to avoid such issues to never left 'Elvis leave the building' as they say... ? Is there a reason all Apple roads seem to lead to iCloud? Why so many entrust data to any cloud (gmail/hotmail/apple servers included) especially stateside given the Patriot Act is beyond my comprehension... I have a tough time convincing anyone to integrate the seemingly ubiquitous S/MIME encryption despite free certificate availability for personal use (numerous finer points debatable) and yet... ...will we all get what we deserve in the end...?
    edited June 2018 cornchipMuntz
  • Reply 6 of 54
    evilutionevilution Posts: 1,399member
    I’m sure it’ll be all Apple’s fault somehow. News sites will post about iOS apps sending out data, totally missing the fact it happens on Android and is Google’s product at fault.
    ronncornchiplostkiwiwatto_cobra
  • Reply 7 of 54
    nunzynunzy Posts: 662member
    ...is the simplest way to avoid such issues to never left 'Elvis leave the building' as they say... ? Is there a reason all Apple roads seem to lead to iCloud? Why so many entrust data to any cloud (gmail/hotmail/apple servers included) especially stateside given the Patriot Act is beyond my comprehension... I have a tough time convincing anyone to integrate the seemingly ubiquitous S/MIME encryption despite free certificate availability for personal use (numerous finer points debatable) and yet... ...will we all get what we deserve in the end...?
    Apple will take care of this quickly.
    spliff monkeycornchip
  • Reply 8 of 54
     Is there a reason all Apple roads seem to lead to iCloud? Why so many entrust data to any cloud (gmail/hotmail/apple servers included) especially stateside given the Patriot Act is beyond my comprehension... 
    You literally don't understand the utility of not having your data locked into one device and being available from Macs, iPhones, and iPads?

    Yes, there are risks, but there are also significant benefits.  Having said that, I trust Apple's implementation of cloud storage but am wary of no-name third parties (like the ones who took advantage of Google's cloud storage but couldn't be bothered to do so securely).
    fastasleepAlex1NronncornchipStrangeDayswatto_cobra
  • Reply 9 of 54
    MacProMacPro Posts: 19,718member
    I am sure Gatorguy will explain all this away on behalf of Google with tons of links he'll be given.  We are just silly Apple enthusiasts, we need guidance from Google experts.
    macseekercornchipRayz2016anton zuykovmacky the mackyMuntzStrangeDayslamboaudi4lostkiwiwatto_cobra
  • Reply 10 of 54
    fastasleepfastasleep Posts: 6,408member
    ...is the simplest way to avoid such issues to never left 'Elvis leave the building' as they say... ? Is there a reason all Apple roads seem to lead to iCloud? Why so many entrust data to any cloud (gmail/hotmail/apple servers included) especially stateside given the Patriot Act is beyond my comprehension... I have a tough time convincing anyone to integrate the seemingly ubiquitous S/MIME encryption despite free certificate availability for personal use (numerous finer points debatable) and yet... ...will we all get what we deserve in the end...?
    Having to go home to check my email kinda defeats the "e" part of it, no?
    Alex1Nronnlostkiwiwatto_cobra
  • Reply 11 of 54
    fastasleepfastasleep Posts: 6,408member

    nunzy said:
    ...is the simplest way to avoid such issues to never left 'Elvis leave the building' as they say... ? Is there a reason all Apple roads seem to lead to iCloud? Why so many entrust data to any cloud (gmail/hotmail/apple servers included) especially stateside given the Patriot Act is beyond my comprehension... I have a tough time convincing anyone to integrate the seemingly ubiquitous S/MIME encryption despite free certificate availability for personal use (numerous finer points debatable) and yet... ...will we all get what we deserve in the end...?
    Apple will take care of this quickly.
    Oh? Are they going to go secure the firewalls on every single AWS instance used to store app user data too? 
  • Reply 12 of 54
    nunzy said:
    Apple will take care of this quickly.
    Apple can't do anything, it's a Google Problem.
    Alex1Ncornchipnunzylamboaudi4watto_cobra
  • Reply 13 of 54
    maestro64maestro64 Posts: 5,043member
    HeliBum said:

    Yep, leaking private information and Google are synonymous.


    Anybody know where to find the list of affected apps?

    It would be nice to know which apps have this issue.
    cornchipwatto_cobra
  • Reply 14 of 54
    maestro64maestro64 Posts: 5,043member
    MacPro said:
    I am sure Gatorguy will explain all this away on behalf of Google with tons of links he'll be given.  We are just silly Apple enthusiasts, we need guidance from Google experts.
    You know he will have all kinds of information how its not Google's fault. But to default the database to a mode which is not secure it just as much a Google's issues as the developers.
    edited June 2018 Alex1Nlamboaudi4watto_cobra
  • Reply 15 of 54
    longpathlongpath Posts: 393member
    Where can I obtain a copy of the list of impacted apps? I saw that the list exists; but did not see the list or any link to it.
    macseekercornchipwatto_cobra
  • Reply 16 of 54
    foggyhillfoggyhill Posts: 4,767member
    Firebase is a bit like Couchdb I think, never used it though I've used Couchdb/CouchBase/PouchDB in the corporate apps my team built and a lot of other NOSQL db's.
  • Reply 17 of 54
    boboliciousbobolicious Posts: 1,139member
    ...is the simplest way to avoid such issues to never left 'Elvis leave the building' as they say... ? Is there a reason all Apple roads seem to lead to iCloud? Why so many entrust data to any cloud (gmail/hotmail/apple servers included) especially stateside given the Patriot Act is beyond my comprehension... I have a tough time convincing anyone to integrate the seemingly ubiquitous S/MIME encryption despite free certificate availability for personal use (numerous finer points debatable) and yet... ...will we all get what we deserve in the end...?
    Having to go home to check my email kinda defeats the "e" part of it, no?
    Not sure I understand - I found S/MIME easier to set up in iOS than macOS,
    and it seems to work seamlessly with windoze types if they are interested...?
    https://arstechnica.com/gadgets/2011/10/secure-your-e-mail-under-mac-os-x-and-ios-5-with-smime/
    ...of course nothing is perfect, well except maybe the Kremlin strategy of using typewriters, ha ha...
    https://www.huffingtonpost.com/2013/07/11/kremlin-typewriters_n_3579184.html  :)
    Alex1N
  • Reply 18 of 54
    Lara Croft 835Lara Croft 835 Posts: 6unconfirmed, member
    maestro64 said:
    HeliBum said:

    Yep, leaking private information and Google are synonymous.


    Anybody know where to find the list of affected apps?

    It would be nice to know which apps have this issue.
    Report is pay to view but

    Enterprises are at significant risk from the Firebase vulnerability because 62% of enterprises have at least one vulnerable app in their mobile environment. The vulnerable apps are in multiple categories, including tools, productivity, health and fitness, communication, finance and business apps.

    Worse, the data being leaked is highly sensitive including PII, PHI, plaintext passwords, social media account and cryptocurrency exchange private access tokens, financial transactions, vehicle license plate and geolocation information, and more. 

    Our Mobile Threat Team discovered over 2,300 unsecured Firebase databases and 3,000 unique iOS and Android apps with this vulnerability. The Android versions of these apps alone have been downloaded over 620 million times. 

    More than 100 million records are exposed, including: 

    • 2.6 million plain text passwords and user IDs
    • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
    • 25 million GPS location records
    • 50 thousand financial records including banking, payment and Bitcoin transactions
    • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens

    cornchipwatto_cobra
  • Reply 19 of 54
    lkrupplkrupp Posts: 10,557member
    evilution said:
    I’m sure it’ll be all Apple’s fault somehow. News sites will post about iOS apps sending out data, totally missing the fact it happens on Android and is Google’s product at fault.
    Of course it’s all Apple’s fault and never fear, Gatorguy will be along shortly to explain why Firebase is Google’s gift to the universe and we should all get down on our knees and be thankful. 
    radarthekatcornchipmacky the mackyMuntzlamboaudi4lostkiwiwatto_cobrajony0
  • Reply 20 of 54
    foggyhillfoggyhill Posts: 4,767member
    maestro64 said:
    HeliBum said:

    Yep, leaking private information and Google are synonymous.


    Anybody know where to find the list of affected apps?

    It would be nice to know which apps have this issue.
    Report is pay to view but

    Enterprises are at significant risk from the Firebase vulnerability because 62% of enterprises have at least one vulnerable app in their mobile environment. The vulnerable apps are in multiple categories, including tools, productivity, health and fitness, communication, finance and business apps.

    Worse, the data being leaked is highly sensitive including PII, PHI, plaintext passwords, social media account and cryptocurrency exchange private access tokens, financial transactions, vehicle license plate and geolocation information, and more. 

    Our Mobile Threat Team discovered over 2,300 unsecured Firebase databases and 3,000 unique iOS and Android apps with this vulnerability. The Android versions of these apps alone have been downloaded over 620 million times. 

    More than 100 million records are exposed, including: 

    • 2.6 million plain text passwords and user IDs
    • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
    • 25 million GPS location records
    • 50 thousand financial records including banking, payment and Bitcoin transactions
    • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens

    Why on god's green earth are plain text passwords even stored..., why not store salted hashes, who the hell does that... It wasn't even good security practice in 1993, let alone 25 years later!!.
    I just don't get it.
    Seems it's not just Google that were idiotic here; most IT and devs are lazy ass that wouldn't know security if it bit them in the ass.
    edited June 2018 radarthekatcoolfactorcornchipwatto_cobra
Sign In or Register to comment.