A relatively popular Android voice chat app was found leaking sensitive user data, with anyone who knew where to look able to access it.
The OyeTalk app was using Google’s Firebase mobile application development platform, which also offers cloud-hosted databases. According to researchers from Cybernews, OyeTalk’s Firebase instance was not password-protected, meaning its contents were available for all to see.
The contents, the researchers further explained, included people’s usernames, unencrypted chats, and IMEI numbers. This last bit is somewhat more concerning as IMEI can be used by threat actors (and law enforcement, as well) to identify (opens in new tab) the device and its legal owner.
“Spilling IMEI numbers on every message sent is a vast privacy intrusion, as the message is permanently associated with a specific device and its owner at the time,” the researchers said. “Threat actors could exploit it to impose ransom.”
The database was roughly 500MB in size, meaning potential attackers could easily have downloaded or deleted it - with the latter scenario meaning there was a possibility of permanent loss of user private messages.
> Check out the best firewalls right now (opens in new tab)
> Unsecured cloud database leaked personal information of over 100m US citizens (opens in new tab)
> These countries have the most exposed databases online (opens in new tab)
Besides sensitive user data, the app was leaking secrets such as API keys and Google storage buckets too, as these were allegedly hardcoded in the app’s client side. For researchers at Cybernews, this is “sloppy” work by the developers, as hardcoding sensitive data into the client side of an Android app like this is “unsafe, as in most cases it can be easily accessed through reverse engineering.”
“In the past, this sloppy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems,” the researchers warned.
Even after being notified of the open database, the devs did nothing, Cybernews said, but luckily enough, Google’s security measures managed to close off the instance.
- These are the best antivirus (opens in new tab) products right now
Via: Cybernews (opens in new tab)