Think about everything you do with your smartphone nowadays. It’s not just your go-to gadget for communicating with your friends who live hundreds of miles away anymore.
Smartphones are now powerful all-in-one computers, and with the help of apps, we also use them for critical tasks like online banking and storing documents in the cloud. Imagine if hackers can get their hands on all of the sensitive information from the apps that you regularly use.
Unfortunately, there are thousands of iOS and Android apps that were found to be leaving millions of users open to hackers.
Firebase database leaks
According to a recent report from mobile app security company Appthority, 2,200 unsecured databases using Google’s Firebase development platform have caused around 3,000 iOS and Android apps to expose over 100 million user records.
The leaked information includes:
- 2.6 million plaintext passwords and user IDs.
- 4 million+ PHI (Protected Health Information) records.
- 25 million GPS records.
- 50,000 financial records including Bitcoin transactions.
- 4.5 million Facebook, LinkedIn, corporate data-store user tokens.
The flaw is reportedly caused by a new variant of an old vulnerability called “HospitalGown.”
Why is it called HospitalGown, you may ask? Don’t laugh but the flaw got its nickname because it concerns data that are “leaking through backend data stores.”
The problem seems to stem from app developers not configuring their apps to require authentication for their Firebase cloud databases. The option is apparently easy to miss since it is not enabled by default.
Thousands of apps are affected
After scanning 2.7 million apps, Appthority found out that there are approximately 28,500 apps that use Firebase to store user information.
However, 3,046 of these apps stored their data within misconfigured Firebase databases that can expose information with the use of simple commands.
Appthority’s list consists of 2,446 Android apps and 600 iOS apps with more than 113 GB of data exposed. The Android versions of the vulnerable apps have been downloaded 620 million times from the official Google Play app store so far.
Unfortunately, the list of affected apps is not publicly available at this time but Appthority stated that it already informed Google about the issue and the apps that are affected.
As for the recommended course of action? Appthority recommends that developers review their app data security more closely.
Interestingly, this is not the first time that app backend servers have been reported to be leaking data.
Last year, Appthority reported that over 1,000 apps were exposing 43 TB worth of data due to another HospitalGown vulnerability.
Additionally, back in November, over 685 apps were exposing personal data on 180 million smartphones due to a flaw in a communications tool called Twilio.
The alarming part about these flaws is that there’s nothing consumers can do right now to protect their information. It’s all up to the app developers at this time.
Security exploits like these should serve as a red flag to developers, warning them to be more cautious about how they use their tools to secure their information in the future.