A newly discovered backend data exposure vulnerability, dubbed HospitalGown, highlights the connection between mobile apps and insecure backend databases.
Appthority documented more than 1,000 apps with this vulnerability, and researched in detail 39 applications with big data leaks, which exposed an estimated 280 million records. These records were accessible as a result of weakly secured backends and did not require authentication of any kind to access the data.
“HospitalGown poses a direct risk to enterprises, opening them to an easy breach, exfiltration of sensitive data, and the costs from remediation, lawsuits, compliance infractions and loss of brand trust,” said Seth Hardy, Appthority Director of Security Research. “No amount of on-device application security can make up for relaxed security where the application stores user data. A breach at the backend takes the magnitude of the threat from being focused on a handful of devices to a much broader exposure for an entire enterprise, which could result in big data leaks or ransom of sensitive data.”
Researchers analyzed the network traffic of over a million enterprise mobile iOS and Android apps and discovered over 21,000 open Elasticsearch servers with unprotected data connected to apps frequently found on enterprise devices.
- Affected apps are connecting to unsecured data stores on popular enterprise services, such as Elasticsearch and MySQL, which are leaking large amounts of sensitive data
- Apps using just one of these services revealed almost 43TB of exposed data
- Multiple affected apps leaked some form of PII, including passwords, location, travel and payment details, corporate profile data (including employees’ VPN PINs, emails, phone numbers), and retail customer data
- In multiple cases, data has already been accessed by unauthorized individuals and ransomed
- Even apps that have been removed from devices and the app stores still pose an exposure risk due to the sensitive data that remains stored on unsecured servers.
“The HospitalGown vulnerability isn’t just theoretical. Hundreds of apps are leaking terabytes of data, all due to simple human error – failure to secure the backend data stores. We recommend that, where possible, enterprises refrain from using apps that access or send sensitive information, particularly if the data is not encrypted in transit and at rest. If the use of an app impacted by HospitalGown is necessary, we suggest contacting the app developer or vendor to verify that the backend server has been secured,” said Seth Hardy, Director, Security Research at Appthority.