- Cybernews found three misconfigured photo ID apps leaking sensitive user data via exposed Firebase instances
- Breach exposed emails, usernames, profile pictures, GPS coordinates, and notification tokens, affecting ~152,000 users
- Hackers already had access to the open databases; developers do not respond despite repeated contact attempts
Several mobile applications that identified objects in photographs leaked highly sensitive information on the Internet and hackers managed to pick them up.
All three applications had misconfigured Firebase instances, resulting in insufficient authentication and access control. The data resided in an open database and included people’s email addresses, usernames (often including full names), Firebase Cloud Messaging (FCM) notification tokens, profile pictures and GPS coordinates.
You will notice that not all users of the apps were compromised. This is likely due to optional features relying on the misconfigured Firebase instances, so it’s possible that only people who enabled certain extra features were compromised.
Hackers sniffed them out
According to Cybernews, the three apps found to be leaking data were:
- Dog Breed Identifier Photo Cam (500,000 downloads, 66,182 users affected)
- Spider Identifier app by photo (500,000 downloads, 40,779 users affected)
- Insect Identifier by Photo Cam (1 million downloads, 45,005 users affected)
Most of the data could be used maliciously for phishing and identity theft, but GPS coordinates make this breach even worse, as they can reveal where people live, where they go to work, and what their daily habits are.
Cybernews’ researchers said they found a Proof-of-Concept entry in the databases, which is a “common marker left by automated bots that scan the web for unsecured databases”. In other words – hackers have already found the files.
“The number of app installs is significant. It is a common metric that users rely on to measure app popularity, which is also a trust factor,” the Cybernews research team said. “These data leaks show that relying solely on an app’s popularity to measure its security is not enough.”
Unfortunately, the researchers were unable to get in touch with the apps developers, despite reaching out on numerous occasions.
Via Cyber news
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
