Android: Firebase configuration errors expose millions of personal data

Thousands of Android apps expose user data. Millions of email addresses, phone numbers and passwords are accessible on the web due to configuration errors in the Google Firebase mobile app development platform.

Of applications Android totaling more than 4.2 billion downloads publish data from their users on the Web . A team of security researchers Comparitech led by Bob Diachenko examined more than 515.735 applications Play Store of Google . Of these, 4,282 publicly exposed sensitive data. The cause of the problem would be a configuration error in the Google Firebase mobile development platform. The complete databases of these applications would be accessible by simply adding “.json” at the end of their Firebase web addresses.

The applications studied exposed more than 7 million e-mail addresses and almost as many discussion messages, 4 million identifiers and a million passwords . The leak continues with more than 5 million telephone numbers, 18 million full names and half a million postal addresses. The researchers even found IP addresses , bank card numbers and photos of ID.

Configuration errors that could affect iOS and the web

Researchers only checked 18 percent of apps in the Play Store . Reduced to the entire catalog, this flaw could potentially affect 24,000 Android applications . In addition, the problem is not limited to Google’s mobile operating system, since the Firebase platform also allows you to create applications for iOS and the Web. The amount of information exposed is therefore potentially much greater.

In all, the researchers managed to access the databases of 11,730 applications. Of these, 9,014 were also writable. It would therefore be possible to modify the database to use the application for phishing purposes or to spread malware . Contacted by Comparitech, Google said it would notify developers of configuration errors. This leak shows once again the importance of avoiding sharing confidential data with applications, and of choosing a different password for each account.