A total of more than 100 million pieces of personal information are made public according to the vulnerability of Firebase

by Alex Iby

There is a vulnerability that data stored in Google's mobile platform " Firebase " can not be adequately protected, 62% of companies using the vulnerability, related data of the mobile application stored in the database is released It became clear that it became.

62% of Enterprises Exposed to Sensitive Data Loss via Firebase Vulnerability - Appthority
https://www.appthority.com/company/press/press-releases/62-of-enterprises-exposed-to-sensitive-data-loss-via-firebase-vulnerability/

Q2 2018 Mobile Threat Report Download | Firebase Vulnerability: Exposing Sensitive Data via Thousands of Mobile Apps
http://info.appthority.com/-q2-2018-mtr-download-Firebase-vulnerability

According to security company Appthority, this vulnerability is manifested when Firebase database authentication is not properly done. It is thought to be a variant of "vulnerability" called " HospitalGown " which is found in the second quarter of 2017, information is exposed when the protection of data storage by the application developer is incomplete.

It is estimated that at least 62% of users have "vulnerable applications" that leak information, and the data dealt with by this massive "vulnerable application" is in a state of openness. Its contents are 2.6 million passwords with user ID and plaintext, "Health information to be protected (PHI)" defined by HIPAA , 4 million messages sent and received, 25 million position information of GPS, bank and bit coin 50,000 settlement information, Facebook · LinkedIn · Firebase · 4.5 million user tokens by other companies, all together more than 100 million.

"This vulnerability of Firebase is a serious and dangerous thing that exposes a huge amount of confidential information, there are many" vulnerable applications ", a wide variety The fact that data has been released has shown that the company can not rely on the developer of the application and can not take measures by the application store check or simple "malware scanning." Data such as GDPR , HIPAA, PCI In order to observe the rules of protection, we will need to see through deep application analysis so that we can find this type of vulnerability in the future. "