You may never have heard of Firebase, but you may have already used an application that takes advantage of it. It is a platform for backend for the web or mobile devices acquired by Google in 2014 or, basically speaking, a solution used by developers around the world to deal with the “behind the scenes” of their applications: interface construction, SDK, user database, analysis of usage and monetization are some of the main features of the platform.
Okay, fine. The problem is when some careless developers don't connect to the platform in the right way and end up exposing their users to intruders and, potentially, the Internet as a whole. And that’s exactly what the security firm Appthority recently discovered, as reported by Bleeping Computer.
The researchers scanned 2.7 million apps on the App Store and Google Play and found more than 113GB of user information from more than 2,200 Firebase databases, openly available on the internet to anyone who knows the right URL. More than 100 million personal data are exposed, including login and password, health information, location information and even financial transactions.
The cause of the simple exposure: a failure to authenticate apps with Firebase's encrypted cloud platform, which ends up putting data in a vulnerable situation on the internet, without any protection barrier. The researchers did not say which apps were detected as causing the problem, but, judging by the fact that (on the Android side) the apps have been downloaded more than 620 million times, some very popular titles may be in this medium.
Google was notified of the problem and received a list of the affected apps, as well as the databases exposed, but has yet to comment on the case.
Anyway, the reminder is to never share sensitive information with applications that are not absolutely reliable, we never know when the developer on the other side may be slightly careless, after all.