Mobile app developers leave behind 2,100 open databases
An easy VirusTotal search for open Firebase databases revealed that more than 2,100 data stores used by mobile apps were left accessible by developers, exposing company bank balances, family photos and information. sensitive health applications, according to the researchers.
Mobile apps ranged from relatively unpopular apps – such as a dating app with over 10,000 downloads – to much more mainstream apps, such as a customer portal for a South American department store chain with over 10 million downloads. The department store app, for example, mistakenly exposed its credentials and API gateway keys, while a completely insecure database for a running tracker left GPS coordinates, users’ heart rates and other exposed health information, a study released March 15 by cybersecurity firm Point Software Technologies’ Check Shows.
As enterprises and developers have embraced cloud-native technologies, security has generally lagged behind, says Lotem Finkelsteen, threat intelligence and research manager at Check Point Software.
“As cloud environments have replaced traditional on-premises servers, they have also opened up assets to the internet, outside the perimeter,” he said. “Developers used to on-premises servers tend to forget this and use them trusting the security [which may not be present] to protect the network.
The data leaks discovered by Check Point researchers are the latest caused by freely accessible database backends to mobile apps or cloud services. Whether it’s an Amazon Web Service (AWS) Simple Storage Service (S3) bucket leaking half a million documents or publicly available MongoDB instances leaking 700,000 Choice Hotels guest records, misconfigurations have caused huge data breaches in recent years.
Even cybersecurity companies are not immune to the problem. In early March, security firm Reposify scanned the networks of 35 major cybersecurity companies, finding that 86% of companies exposed at least one sensitive remote access service and 80% exposed network assets. More than half (51%) also had at least one database exposed, including 72% with a PostrgreSQL DB instance exposed, 50% with an OracleDB instance exposed, and 28% and 21% with a MySQL and MSSQL instance exposed, respectfully, the company found.
“Databases are modern treasure chests – the severity of the attack will directly depend on the type of data they hold,” says Dor Levy, director of security research at Reposify.
Misconfigured Google Firebase databases
In the latest research, Check Point Software researchers counted 2,113 Firebase databases that appeared to have been left in publicly available “test mode” or had credentials exposed that allowed the company’s researchers to access the database. Firebase is a Google service for providing easily integrated and managed backends for mobile apps.
Check Point Software researchers searched the VirusTotal malware and malicious URL database, also owned by Google, for open databases. Developers often upload their apps to VirusTotal to make sure they aren’t flagged as malicious, according to Check Point Software. About 5% of the over 100,000 Firebase apps uploaded to VirusTotal had a database address open.
The research demonstrated how easily attackers could find potentially valuable datasets stored in the cloud and exposed to the public. Any hacker could search VirusTotal for public files and retrieve the full address of the cloud backend, which could then be accessed if left in test mode or with exposed credentials, Check Point Software’s Finkelsteen said in an earlier statement.
“Everything we found is accessible to everyone,” he said. “Ultimately, with this research, we’re proving how easy it is for a data breach or data abuse to occur. The amount of data that sits openly and is available to anyone on the cloud is It’s a lot easier to rape than we think.”
A logo design app with more than 10 million downloads exposed about 130,000 usernames, email addresses and passwords, according to Check Point researchers. Other apps include a social media audio app and an accounting app for small and medium businesses.
Open databases not only expose sensitive data, but since they allow data to be written to the database, they could be abused by an attacker to modify values in the database, inject malicious content in the app on users’ devices or encrypt the database for ransom. Misconfiguration is the leading cause of data breaches in the information industry – accounting for more than 70% of breaches – and is often among the top three causes of breaches for other industries, according to the “2021 Data Breach Investigations Report” (DBIR) from Verizon.
“We have to assume that any tool at our disposal is also available to hackers for exploitation – unfortunately, this is an integral part of cybersecurity protocol,” Reposify’s Levy says. “Consultable services such as [Google, Shodan, and VirusTotal] are a good starting point for any attack surface research or audit. The problem is to find all related services belonging to a specific target that need to be protected, audited and accounted for.”
Check Point Software informed the app developers mentioned in its advisory, noting that the misconfiguration of security is not the fault of Google Firebase, which offers ways to better secure assets.
“Cloud technologies have grown so rapidly that developers are struggling to catch up and are mistakenly leaving their databases open to everyone,” says Check Point’s Finkelsteen, adding, “Developers should be aware of the benefits of cloud technologies but also dangers. Security experts should facilitate the transition to the cloud and cover the mistakes made by their developers.”
The company recommends that developers take action. On Amazon Web Services, users must ensure that S3 buckets are not publicly accessible, while Google Cloud Platform users must lock the Cloud Storage database against anonymous or public access. Finally, Microsoft Azure users can set the default network access for storage accounts to Refuse.