Five percent of the databases are vulnerable to threat actors: It’s a gold mine of exploit opportunity in thousands of mobile apps, researchers say.

Thousands of mobile apps – some of which have been downloaded tens of millions of times – are exposing sensitive data from open cloud-based databases due to misconfigured cloud implementations, new research from Check Point has found.

Check Point Research (CPR) found that in three months’ time, 2,113 mobile apps using the Firebase cloud-based database exposed data, “leaving victims unprotected and easily accessible for threat actors to exploit,” according to a blog post published this week.

This amounts to an estimated 5 percent of all Firebases being misconfigured on the cloud in some way – or the equivalent to thousands of new applications every month leaving sensitive data exposed, according to CPR.

Infosec Insiders Newsletter

Mobile apps that researchers found were left vulnerable by cloud misconfigurations were popular apps for dating, fitness, bookkeeping, logo design, e-commerce and more, some with more than 10 million downloads, according to the post.

“Exposed information includes: chat messages in popular gaming apps, personal family photos, token IDs on … healthcare applications, data from cryptocurrency exchange platforms, and more,” according to the post.

The research once again highlights the vulnerability of misconfigured cloud infrastructure – a thorn in the side of cloud security since its inception. Moreover, if the CPR research is any indication, that thorn doesn’t seem to be getting any less prickly.

“These databases represent a gold mine for malicious actors, as they allow them to read and write new values in the database,” researchers said in the post. “A hacker could potentially change entries in the bucket and inject malicious content that could infect users or wipe the whole content.”

Threat actors also have leveraged misconfigured cloud storages in ransomware attacks – as was the case with a MongoDB debacle back in 2017 – demanding ransom payments after extracting and wiping databases that were left open, CPR said.

Discovering Exposed Databases

Researchers discovered the vulnerable databases simply by creating a query in Virus Total that searched for “Firebase URLs in APKs: content: ‘*.firebaseio.com’ type: apk,” which served all the applications communicating with Firebase services.

They checked if access to the database was set on read by accessing the /.json URL. “Any DBs containing sensitive data exposed here should not be accessible as a rule,” according to the post.

Next, researchers filtered with keywords such as “Token,” “Password” or “Admin,” which they said led to some curious findings regarding which databases were exposed.

For instance, the exposed database of a popular podcast-sharing audio platform with more than 5 million downloads exposed users’ bank details, location, phone numbers, chat messages, purchase history and more. Meanwhile, an e-commerce application for a large shopping chain in South America mistakenly exposed its API gateway credentials and API keys, researchers said.

They also found that an accounting services app for SMBs with more than 1 million downloads exposed 280,000 phone numbers associated with at least 80,000 company names, addresses, bank balances, cash balances, invoice counts and emails, researchers wrote. CPR also was able to view more than 50,000 private messages in the open database of a dating application with more than 10,000 downloads, they said.

Why It Happens

There are several reasons as to why developers leave databases inadvertently exposed in cloud configurations, researchers noted, and they should be mindful of these common errors in future endeavors.

One is that while writing code, developers invest a lot of resources to harden an application against several forms of attacks. “However, developers may neglect configuring the cloud database properly thus leaving real-time databases exposed, which could then [result] in a catastrophic breach if exploited,” according to CPR.

A common configuration error developers make is to manually change the default locked and secured setting of security rules to run tests, and then forget to lock them back up before releasing the app to production. If this happens, it leaves the database open to anyone accessing it and thus susceptible to read and write into the database, researchers said.

Researchers were able to find the exposed databases on Virus Total because it’s not uncommon for an app in development to be uploaded to the platform for various reasons, including the desire for developers to check to see if their app is flagged as malicious or to use sandbox features, researchers said.

Sometimes organizations’ security policies upload apps automatically to Virus Total as well without the developers’ knowledge, allowing for their discovery, they added.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.