Millions of user records exposed by 900+ sites via Firebase The Register

At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers.
Among these websites, it's estimated that at least 125 million user records were found to be publicly accessible, including billing information and plaintext passwords.
In short: If you're using Google's Firebase, make sure it's securely configured to avoid leaking private info to the rest of the world.
Firebase is a popular backend service that websites and apps use for storing data in the cloud.
It provides security rules to keep data safe, in theory anyway.
In practice, we recall an incident where 24,000 Android apps exposed data through ham-handed Firebase implementations.
That developer did not immediately respond to a request for further comment, nor did Google.
The penetration testers, who go by the names mrbruh, xyzeva and logykk, previously identified exposed credentials in AI hiring service chattr's Firebase implementation.
They found a way to use Firebase's registration feature to create a new user with administrative read and write privileges.
Following that dumpster fire, the cyber-trio decided to conduct an internet-wide search for poorly configured Firebase databases using a scanning program converted from Python into Go to tame a memory leak.
The renovated code took between two and three weeks to scour 5.2 million domains, and ultimately ended up with a list of data obtainable from more than 900 websites.
All told, the list included almost 125 million records, with 85 million names, 106 million email addresses, 34 million phone numbers, 20 million passwords, and 27 million billing details.
The researchers, who note that the actual numbers are probably larger, say they spent two weeks sending email notifications to 842 of the websites, of which 85 percent got through and nine percent bounced.
From this, they say 24 percent of site owners fixed the misconfiguration, though just one percent of site owners mailed back and a mere 0.2 percent of site owners - just two of them - offered some form of bug bounty.
Configuration mishaps of this sort were common for many years with AWS, until AWS decided it would help customers avoid shooting themselves in the foot through more secure default settings.
According to OWASP, security misconfiguration ranks fifth among the top ten most common vulnerabilities, with an average incidence rate of 4.51 percent.


This Cyber News was published on go.theregister.com. Publication date: Mon, 18 Mar 2024 21:43:05 +0000


Cyber News related to Millions of user records exposed by 900+ sites via Firebase The Register

CVE-2017-14132 - JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17, 1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27, 1.900.28, 1.900.29, 1.900.30, 1.900.31, ...
3 years ago
CVE-2018-19540 - An issue was discovered in JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17, 1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27, 1.900.28, ...
3 years ago
CVE-2018-19541 - An issue was discovered in JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900.14, 1.900.15, 1.900.16, 1.900.17, 1.900.18, 1.900.19, 1.900.20, 1.900.21, 1.900.22, 1.900.23, 1.900.24, 1.900.25, 1.900.26, 1.900.27, 1.900.28, ...
3 years ago
Millions of user records exposed by 900+ sites via Firebase The Register - At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers. Among these ...
7 months ago Go.theregister.com
900+ websites Exposing 10M+ Passwords: Most in Plaintext - Over 900 websites inadvertently expose over 10 million passwords, many of which are in plaintext, alongside sensitive billing information and personally identifiable information of approximately 125 million users. This massive data exposure is ...
7 months ago Gbhackers.com
Electronic Frontier Foundation - We're not just talking about the ballot box, but the everyday power we all have to demand government agencies make their records and data available to public scrutiny. At every level of government in the United States, there are laws that empower the ...
7 months ago Eff.org
Misconfigured Firebase Instances Expose 125 Million User Records - Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn. It all started with the hacking of Chattr, the AI hiring system that serves multiple ...
7 months ago Securityweek.com
Data Breaches in US Schools Exposed 37.6M Records - Since 2005, educational institutions in the United States have experienced 3713 data breaches, impacting over 37.6m records. According to new data by Comparitech, 2023 marked a record year, with 954 breaches recorded - a dramatic rise from 139 in ...
5 months ago Infosecurity-magazine.com
CVE-2013-0135 - Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) ...
7 years ago
CVE-2017-17713 - Trape before 2017-11-05 has SQL injection via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp ...
6 years ago
CVE-2017-17714 - Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId parameter, the /register User-Agent HTTP header, the /register country parameter, the /register countryCode parameter, the /register cpu parameter, the /register isp parameter, ...
6 years ago
CVE-2023-52780 - In the Linux kernel, the following vulnerability has been resolved: net: mvneta: fix calls to page_pool_get_stats Calling page_pool_get_stats in the mvneta driver without checks leads to kernel crashes. First the page pool is only available if the bm ...
5 months ago Tenable.com
CVE-2024-47716 - In the Linux kernel, the following vulnerability has been resolved: ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP ...
2 weeks ago Tenable.com
4500+ WordPress Sites Hacked with a Monero Cryptojacking Campaign - Security researchers recently reported the discovery of a massive Monero hacking campaign targeted at WordPress sites. According to reports, more than 4500 WordPress sites were compromised with a malicious cryptocurrency-mining campaign. The hackers ...
1 year ago Thehackernews.com
Researchers Uncovered an Active Directory DNS spoofing exploit - In the intricate web of our interconnected world, the Domain Name System stands as a linchpin, directing users to their online destinations. Even this vital system is not impervious to the dark art of malicious manipulation. In a recent revelation by ...
10 months ago Gbhackers.com
US School Shooter Emergency Plans Exposed in a Highly Sensitive Database Leak - Every year, hundreds of millions of files, personal records, and documents are accidentally exposed online. Owners of dating apps, colossal marketing databases, and even a spy agency have published information to the web by leaving it in unsecured ...
9 months ago Wired.com
Android game dev's Google Drive misconfig highlights cloud security risks - Japanese game developer Ateam has proven that a simple Google Drive configuration mistake can result in the potential but unlikely exposure of sensitive information for nearly one million people over a period of six years and eight months. The ...
10 months ago Bleepingcomputer.com
Hugging Face API tokens exposed, major projects vulnerable The Register - The API tokens of tech giants Meta, Microsoft, Google, VMware, and more have been found exposed on Hugging Face, opening them up to potential supply chain attacks. Researchers at Lasso Security found more than 1,500 exposed API tokens on the open ...
11 months ago Go.theregister.com
You should be worried about cloud squatting - Most security issues in the cloud can be traced back to someone doing something stupid. I do see misconfigured cloud resources, such as storage and databases, that lead to vulnerabilities that could easily be avoided. Although cloud squatting is ...
10 months ago Infoworld.com
CVE-2024-50002 - In the Linux kernel, the following vulnerability has been resolved: static_call: Handle module init failure correctly in static_call_del_module() Module insertion invokes static_call_add_module() to initialize the static calls in a module. ...
2 weeks ago Tenable.com
500k Irish National Police records exposed by third party The Register - A third-party contractor running a database without password protection exposed more than 500,000 records related to vehicle seizures by the Irish National Police. Security researcher Jeremiah Fowler found various records dating back to 2017 ...
11 months ago Theregister.com
DonorView exposes 1M records for unknown time frame The Register - Close to a million records containing personally identifiable information belonging to donors that sent money to non-profits were found exposed in an online database. The database is owned and operated by DonorView - provider of a cloud-based ...
10 months ago Go.theregister.com
DonorView exposes 1M records for unknown time frame The Register - Close to a million records containing personally identifiable information belonging to donors that sent money to non-profits were found exposed in an online database. The database is owned and operated by DonorView - provider of a cloud-based ...
10 months ago Packetstormsecurity.com
DonorView exposes 1M records for unknown time frame The Register - Close to a million records containing personally identifiable information belonging to donors that sent money to non-profits were found exposed in an online database. The database is owned and operated by DonorView - provider of a cloud-based ...
10 months ago Theregister.com
CVE-2024-4128 - This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious ...
6 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)