Misconfigured Firebase backends cause massive application-sensitive data leaks

Firebase is a development platform for web and mobile applications. It provides cloud messaging, notifications, databases, analytics, and many back-end APIs. It was acquired by Google in 2014 and is welcomed by many Android developers. It is also one of the most popular mobile application data storage platforms.

In Appthority after viewing more than 2.7 million mobile apps, 28,000 mobile apps were found to store data at the back end of Firebase. Of these, 3,046 programs incorrectly configured 2,271 data as a Firebase database while allowing third parties to view it publicly. Most of them are Android programs, occupying 2,446 and 600 iOS programs.

All leaked program data volume is 113GB, including 2.6 million plaintext passwords and user accounts, 4 million chat logs, 25 million GPS location information, and 50,000 financial transaction information. Facebook / LinkedIn / Firebase user credentials are 4.5 million.

Appthority states that 2,446 Android programs have downloaded more than 620 million downloads on Google Play. They are distributed in different categories, from tools, productivity, fitness, communications, finance and business applications. 62% of companies use at least one of the plans.

Although this is primarily because the developer did not verify access so that anyone can access configuration failures belonging to the Firebase database, Appthority is pointing to Google, thinking that Firebase does not protect user data by default, and lacks the ability to encrypt users third-party tools for data.