Over 900 websites inadvertently expose over 10 million passwords, many of which are in plaintext, alongside sensitive billing information and personally identifiable information of approximately 125 million users.
This massive data exposure is attributed to misconfigured Firebase instances, a popular development platform for creating mobile and web applications, which, due to its ease of use, has led to widespread security oversights.
Firebase, known for its comprehensive suite of tools that aid developers in building, managing, and growing their apps, has a critical flaw in its security rules configuration.
The platform allows for easy misconfiguration with zero warnings, leading to hundreds of sites exposing user records.
Ai, prompting a more extensive scan for exposed PII across the internet due to misconfigured Firebase instances.
The quest to uncover the extent of this exposure began with a rudimentary scanner developed in Python, designed to check for Firebase configuration variables in websites or their loaded JavaScript bundles.
A subsequent version of the scanner, rewritten in Go by a team member known as Logykk, proved more efficient, not suffering from the memory leak issues of its predecessor.
Despite the improved efficiency, the scanning process was a waiting game.
A recent report by env has revealed that around 900 websites have inadvertently exposed over 10 million passwords, including sensitive billing information and personally identifiable information of approximately 125 million users.
This secondary scanner automated checking for read access to common Firebase collections and those explicitly mentioned in the JavaScript itself.
This tool not only identified accessible collections but also assessed the impact of the exposed data by sampling 100 records and extrapolating the findings across the total size of the collection.
The findings were stored in a database using Supabase, an open-source competitor to Firebase, chosen with a touch of irony.
The database contained detailed records of the exposed data, including project IDs, website URLs, counts of names, emails, phone numbers, hashed passwords, plaintext passwords, and billing information.
Silid LMS: A learning platform with 27 million affected users, leading in total exposed user records.
Online gambling network: Featuring rigged games and the most exposed bank account details and plaintext passwords.
Lead Carrot: An online lead generator with 22 million affected people.
MyChefTool: A restaurant business management app, leading in exposed names and emails.
The team's efforts to notify the affected sites resulted in 842 emails sent over 13 days, with an 85% delivery rate.
Only 24% of site owners fixed the misconfiguration, and only 1% responded to the emails.
This extensive investigation illuminates the critical need for better security practices and awareness among developers using platforms like Firebase.
This Cyber News was published on gbhackers.com. Publication date: Tue, 19 Mar 2024 12:13:04 +0000