About 125 million user accounts, including 19 million plaintext passwords, of 900 websites have been exposed on the public Internet due to misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development.
Among the staggering 125 million sensitive user records exposed were other sensitive data such as emails, names, phone numbers, and billing information containing bank details.
The research trio of Logykk, xyzeva/Eva, and MrBruh conducted extensive scans across more than five million domains, uncovering 916 websites from various organisations with either no security rules enabled or incorrectly configured security settings.
Despite encountering challenges during their investigation, including high memory consumption with initial scanning scripts, the researchers persevered and ultimately discovered 223,172,248 exposed records, of which 124,605,664 were user-related.
Silid LMS, a learning management system, was the most exposed among all affected websites, with over 27 million user data leaked. This was followed by Lead Carrot, an online lead generator, affecting 22 million people.
Another website, MyChefTool, ranked number one in the number of exposed names and two in the number of exposed emails.
Eva, one of the researchers, highlighted the alarming findings, stating that numerous Firebase instances lacked adequate security rules or were configured improperly, granting unauthorised read access to databases.
Additionally, many of these instances had write access enabled, exacerbating the security risks.
The researchers utilised a script called Catalyst, developed by Eva, to analyse exposed databases and extract a sample of 100 records from each, revealing the extent of the compromised data:
- Names: 84,221,169
- Emails: 106,266,766
- Phone Numbers: 33,559,863
- Passwords: 20,185,831
- Billing Information (including bank details): 27,487,924
The exposure of plaintext passwords constitutes about 98% of the total passwords discovered. This revelation is particularly concerning. The researchers said that the companies should utilise Firebase Authentication, an end-to-end identity solution provided by Firebase, to ensure secure sign-in processes without exposing user passwords.
Following their analysis, the researchers made concerted efforts to notify affected companies about the misconfigured Firebase instances, sending over 842 emails over 13 days. While only a small fraction of site owners responded, a significant portion took steps to rectify the misconfiguration.
The researchers also recalled a previous project in which they gained admin and ‘superadmin’ permissions on a Firebase instance used by Chattr, an AI-powered hiring software solution used by prominent fast-food chains in the United States. This prior experience underscored the risks posed by misconfigured Firebase instances and the importance of robust security measures in safeguarding sensitive data.
In the News: Glassdoor faces backlash for adding real names to profiles without consent
