A relatively popular Android voice chat app was found leaking sensitive user data, with anyone who knew where to look able to access it.
The OyeTalk app was using Google’s Firebase mobile application development platform, which also offers cloud-hosted databases. According to researchers from Cybernews, OyeTalk’s Firebase instance was not password-protected, meaning its contents were available for all to see.
The contents, the researchers further explained, included people’s usernames, unencrypted chats, and IMEI numbers. This last bit is somewhat more concerning as IMEI can be used by threat actors (and law enforcement, as well) to identify the device and its legal owner.
Irreversible damage
“Spilling IMEI numbers on every message sent is a vast privacy intrusion, as the message is permanently associated with a specific device and its owner at the time,” the researchers said. “Threat actors could exploit it to impose ransom.”
The database was roughly 500MB in size, meaning potential attackers could easily have downloaded or deleted it - with the latter scenario meaning there was a possibility of permanent loss of user private messages.
Besides sensitive user data, the app was leaking secrets such as API keys and Google storage buckets too, as these were allegedly hardcoded in the app’s client side. For researchers at Cybernews, this is “sloppy” work by the developers, as hardcoding sensitive data into the client side of an Android app like this is “unsafe, as in most cases it can be easily accessed through reverse engineering.”
“In the past, this sloppy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems,” the researchers warned.
Even after being notified of the open database, the devs did nothing, Cybernews said, but luckily enough, Google’s security measures managed to close off the instance.
- These are the best antivirus products right now
Via: Cybernews
