[TheRecord] More than 10% of Firebase databases are open and exposing data

After years and years of warnings not to leave crucial databases exposed online without authentication, it appears that many Firebase administrators have failed to understand the dangers of these practices, and sensitive user data can still be easily found online with a few basic scripts or search queries.

In a research project conducted in July 2021 and published this week on Wednesday, cybersecurity firm Avast said it found nearly 19,300 Firebase databases from a grand total of 180,300 that were left exposed online without authentication.

“10.7% of the tested DBs were open, exposing the data to unauthenticated users, due to misconfiguration by the app developers,” said Avast security researcher Vladimir Martyanov.

“This is quite a large percentage.”

Vladimir Martyanov, Avast security researcher

Developed in 2012 as a real-time database specifically built to be used as the backend of modern websites and mobile apps, Firebase is one of today’s most popular database engines.

Acquired by Google in 2014, Firebase is available as a cloud-hosted data storage system, with most databases hosted on a firebaseio.com subdomain.

Over the years, Firebase has become the go-to database for most Android and iOS applications, primarily due to its ability to handle huge data loads in almost near real-time.

However, ever since its earliest days, security researchers have found that many app developers have been having a hard time configuring their systems, which would often leave user data exposed online and accessible to anyone.

2018 study found 3,046 apps (2,446 Android and 600 iOS) mobile applications were exposing over 113 GBs of data via over 2,271 misconfigured Firebase databases.

Two years later, as Firebase’s popularity grew, a subsequent study found more than 24,000 Android applications exposing user data through their Firebase backends, showing that despite warnings, developers were still not taking security seriously enough.

Furthermore, since most databases are hosted on the firebaseio.com domain, databases that didn’t require a password were also often indexed by search engines, allowing anyone to find these systems with simple queries. While Google intervened to filter its search results, other search engines are still surfacing Firebase backends, even today, data that is regularly farmed by underground data brokers.

For its part, Google introduced advanced authentication features in 2016; however, as Martyanov’s research shows, there are still 19,300 Firebase backends still exposed online.

The post More than 10% of Firebase databases are open and exposing data appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ThreatPost] Threat Actor ‘Agrius’ Emerges to Launch Wiper Attacks Against Israeli Targets

All posts, ThreatPost

The group is using ransomware intended to make its espionage and destruction efforts appear financially motivated. Source: Read More (Threatpost)

Read More

[BleepingComputer] Mozilla: Update Firefox to avoid Netflix, Hulu streaming issues

Mozilla advises Firefox users to update to the latest released version to avoid experiencing video streaming issues after Google updates the Widevine digital rights management (DRM) on May 31. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] NSA Releases Guidance for Securing Enterprise Communication Systems

All posts, Security Week

The NSA on Thursday released guidance to help organizations secure their communication systems, specifically Unified Communications (UC) and Voice and Video over IP (VVoIP). UC and VVoIP are call-processing systems that are used for communications and collaboration by many enterprises, including government agencies and their contractors. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.