[TheRecord] More than 10% of Firebase databases are open and exposing data

After years and years of warnings not to leave crucial databases exposed online without authentication, it appears that many Firebase administrators have failed to understand the dangers of these practices, and sensitive user data can still be easily found online with a few basic scripts or search queries.

In a research project conducted in July 2021 and published this week on Wednesday, cybersecurity firm Avast said it found nearly 19,300 Firebase databases from a grand total of 180,300 that were left exposed online without authentication.

“10.7% of the tested DBs were open, exposing the data to unauthenticated users, due to misconfiguration by the app developers,” said Avast security researcher Vladimir Martyanov.

“This is quite a large percentage.”

Vladimir Martyanov, Avast security researcher

Developed in 2012 as a real-time database specifically built to be used as the backend of modern websites and mobile apps, Firebase is one of today’s most popular database engines.

Acquired by Google in 2014, Firebase is available as a cloud-hosted data storage system, with most databases hosted on a firebaseio.com subdomain.

Over the years, Firebase has become the go-to database for most Android and iOS applications, primarily due to its ability to handle huge data loads in almost near real-time.

However, ever since its earliest days, security researchers have found that many app developers have been having a hard time configuring their systems, which would often leave user data exposed online and accessible to anyone.

2018 study found 3,046 apps (2,446 Android and 600 iOS) mobile applications were exposing over 113 GBs of data via over 2,271 misconfigured Firebase databases.

Two years later, as Firebase’s popularity grew, a subsequent study found more than 24,000 Android applications exposing user data through their Firebase backends, showing that despite warnings, developers were still not taking security seriously enough.

Furthermore, since most databases are hosted on the firebaseio.com domain, databases that didn’t require a password were also often indexed by search engines, allowing anyone to find these systems with simple queries. While Google intervened to filter its search results, other search engines are still surfacing Firebase backends, even today, data that is regularly farmed by underground data brokers.

For its part, Google introduced advanced authentication features in 2016; however, as Martyanov’s research shows, there are still 19,300 Firebase backends still exposed online.

The post More than 10% of Firebase databases are open and exposing data appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] Windows admins now can block external devices via layered Group Policy

Microsoft has added support for layered Group Policies, which allow IT admins to control what internal or external devices users can be installed on corporate endpoints across their organization’s network.” […] Source: Read More (BleepingComputer)

Read More

[SANS ISC] ISC Stormcast For Thursday, April 21st, 2022 https://isc.sans.edu/podcastdetail.html?id=7974, (Thu, Apr 21st)

All posts, Sans-ISC

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

[SANS ISC] jo, (Sun, Apr 3rd)

All posts, Sans-ISC

About a mont ago, a fellow handler pointed us to a blog post on a new feature of curl: option –json. And now that there is a new curl release (7.82.0) with this option, I wrote a diary entry about it: “curl 7.82.0 Adds –json Option“. In that curl blog post, I learned about a […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.