- Cybernews found three misconfigured photo ID apps leaking sensitive user data via exposed Firebase instances
- Breach exposed emails, usernames, profile photos, GPS coordinates, and notification tokens, affecting ~152K users
- Hackers already accessed the open databases; developers remain unresponsive despite repeated contact attempts
Multiple mobile applications that identified objects in photographs were leaking highly sensitive information on the internet, and hackers managed to pick it up.
All three applications had misconfigured Firebase instances resulting in insufficient authentication and access controls. The data was sitting in an open database, and included people’s email addresses, usernames (often including full names), Firebase Cloud Messaging (FCM) notification tokens, profile photos, and GPS coordinates.
You will notice that not all users of the apps were compromised. This is likely due to optional features relying on the misconfigured Firebase instances, so it is possible that only people who enabled certain extras were compromised.
Hackers sniffed them out
According to Cybernews, the three apps found to be leaking data were:
- Dog Breed Identifier Photo Cam (500K downloads, 66,182 users affected)
- Spider Identifier App by Photo (500K downloads, 40,779 users affected)
- Insect identifier by Photo Cam (1M downloads, 45,005 users affected)
Most of the data could be used maliciously for phishing and identity theft, but GPS coordinates make this breach even worse, since they can uncover where people live, where they go to work, and what their daily habits are.
Cybernews’ researchers said that they found a Proof-of-Concept entry in the databases, which is a “common marker left behind by automated bots that scan the internet for unsecured databases”. In other words - hackers already found the files.
“The number of app installs is significant. It's a common metric users rely on to gauge the app’s popularity, which is also a trust factor,” said the Cybernews research team. “These data leaks show that relying solely on an app's popularity to gauge its security is not enough.”
Unfortunately, the researchers could not get in touch with the apps’ developers, despite reaching out on numerous occasions.
Via Cybernews
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
