September 26, 2020

Google Firebase misconfiguration caused 4000 Android app data to be leaked

2 min read

Due to the serious misconfiguration of Google Firebase, resulting in the leakage of user data of 4000 Android apps. It is reported that Firebase is a mobile and web application that was first developed in 2011, and subsequently, it was acquired by Google in 2014. Firebase provides a variety of server analyses, including authentication, database, configuration, file storage, and push messaging, and all these services are hosted in the cloud and can be easily used by users. Currently, in the Google Play store, more than 30% of applications are using Firebase services.

Security researchers from Comparitech have found that 4.8% of mobile applications that use Google Firebase to store data have incorrect security. Firebase’s misconfiguration allows anyone to access a database containing user personal information, access tokens, and other information without a password or any other authentication. According to the statistics of the researchers, it has been found that misconfigured applications have been installed 4.22 billion times by Android users, and using these applications at the same time may bring huge risks to user privacy.

The following are some of the public data found by researchers, including more than 7 million email addresses, 4.4 million user name information, more than 1 million account password information, more than 5.3 million user phone numbers, and other important user residence Positioning information and GPS data. Of the 1,55066 Firebase applications analyzed, 11,730 have published databases, of which 9014 even include modification permissions. In addition to viewing and downloading data, they also allow attackers to add, modify, or delete data on the server.

For this incident, Google said that Firebase provides many features that can help our developers safely configure their deployment. Currently, Google has sent developers notifications about possible misconfigurations in their deployments and provided corrective suggestions. At the same time, Firebase is also in contact with other affected developers and users to help them reduce the threat posed by data breaches.