3,000+ mobile apps leaking data from unsecured Firebase databases

Appthority published research on its discovery of a new HospitalGown threat variant that occurs when app developers fail to require authentication to Google Firebase databases.

unsecured Firebase databases

Appthority security researchers discovered the HospitalGown vulnerability in 2017 which leads to data exposures, not due to any code in the app, but to the app developers’ failure to properly secure backend data stores (hence the name). The new Firebase variant exposes large amounts of mobile app-related data stored in unsecured Firebase databases.

Exposed data from includes personally identifiable information (PII), private health information (PHI), plaintext passwords, social media account and cryptocurrency exchange private access tokens, financial transactions, vehicle license plate and registration numbers, and more data leaking from vulnerable apps.

“The Firebase vulnerability is a significant and critical mobile vulnerability exposing vast amounts of sensitive data,” said Seth Hardy, Appthority Director of Security Research. “The large number of vulnerable apps and the wide variety of data shows that enterprises can’t rely on mobile app developers, app store vetting or simple malware scans to address data security. To keep their data safe and stay in compliance with regulations like GDPR, HIPAA and PCI, they need to be investing in deep app analysis that detects these types of vulnerabilities.”

Key findings

  • 3,000 mobile iOS and Android apps – over 620 million Android downloads, alone — are leaking data from 2,300 unsecured Firebase databases
  • Multiple app categories are impacted including tools, productivity, health and fitness, communication, cryptocurrency, finance and business apps
  • Most enterprises are impacted: 62% of enterprises have at least one vulnerable app in their mobile environment.

unsecured Firebase databases

More than 100 million records are exposed, including:

  • 2.6 million plain text passwords and user IDs
  • 4 million+ PHI (Protected Health Information) records (chat messages and prescription details)
  • 25 million GPS location records
  • 50,000 financial records including banking, payment and Bitcoin transactions
  • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens.

Don't miss