Firebase is used by several apps to store users data, which data are not properly secured, thus allowing anyone access to databases containing these users' personal information, including: access tokens and other data without any form of authentication.
While Firebase is a cloud-based mobile and web application development platform used across several operating systems, acquired by Google in 2014.
According to security researchers at Comparitech, an analysis of 15,735 Android apps, which comprises about 18 percent of apps on Google Play store, shows that 4.8 percent of apps using Firebase to store user data are not properly secured.
The vulnerable apps mostly spanning games, education, entertainment, and business categories, are installed over 4 billion times by Android users, making the chances that an Android user's privacy may have been compromised by at least one app.
How Firebase misconfiguration allow Hackers to steal data
Firebase misconfiguration allow hackers to steal data from storage by simply appending “.json” at the end of a Firebase URL, the attacker can easily view and download contents from the vulnerable databases.
Though Google had taken steps to scrubs these vulnerable Firebase database URLs from its search results, but still, they are indexed by other search engines like Bing. The researchers were able to find exposed databases, through searching each app’s resources for strings indicating that Firebase is used, such as text ending in “.firebaseio.com”.
Albeit, Firebase provides simple REST API to access stored data, and the data is stored in JSON format, so public databases are accessible by making request to the database URL appended by “.json”.
How to Secure Your Data and Prevent unauthorized access
The researchers promptly notified Google of their findings on April 22, and the Internet giant promised to reach out to affected developers in order to patch the flaw.
Until then, it's recommended that app developers should adhere to some database rules to secure data from their apps and prevent unauthorized access. And users, on their part, are advised to stick to trusted apps and be cautious of the information they share with any app.