- Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases.
Google’s Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients. Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions. Many app developers’ fail to properly secure their back-end Firebase endpoints with firewalls and authentication, leaving hundreds of gigabytes of sensitive data of their customers publicly accessible to anyone.
To access their databases hosted with the service, attackers can gain access to unprotected data by just adding “/.json” with a blank database name at the end of the hostname.
Cyber Security Tips:
The only security feature available to developers is authentication and rule-based authorization. developers to explicitly implement user authentication on all database rows and tables to protect their databases from unauthorized access.