More than a dozen popular Android applications downloaded by more than 140 million people reportedly found leaked data.
Exposed data including username, email address, and many other personal information.
Leaks have been detected by Cybersecurity researchers in CyberNews and they have released the same report.
Some of the applications mentioned in this report are Universal TV Remote Control, Remote for Roku: Codematics, Hybrid Warrior: Dungeon of the Overlord and find my children: Trackers of Children’s Mobile Location.
The leakage is possible because of the Firebase database database configuration error which is often managed by developers without security training, which makes it an easy target for cybercriminal.
Firebase is a cellular application development platform that offers features such as hosting, analytics and real-time cloud storage to developers.
The platform was acquired by Google in 2014 and since then is one of the most popular data storage solutions for Android applications.
This research reveals that because of a bad configuration on anyone’s Firebase who knows the right URL can access the real-time database and user information from this popular application without any authentication.
According to researcher Martynas Bunaris, the application not only leaks user data, but also their personal message.
For inquiry, the researchers analyzed 1,100 the most popular applications in 55 different categories on the Google Play Store.
For metrics of popularity, researchers use the collection ‘top {category’ provided by the Play Store.
CyberNews claims that their researchers report their findings to Google and ask them to help developers but technology giants ignore all questions.
Even though the researchers only see the application on the Play Store, the possibility of iOS applications might be affected by this configuration error because Firebase is the agnostic platform.
“If you are an application developer, always make sure to follow the official real-time Firebase Database Security Guidelines provided by Google,” Suggest CyberNews researchers.