Friday, March 29, 2024
spot_img
spot_img

Misconfiguration of 3rd Party Cloud Services Exposed Data of 100 mil Users: Check Point

spot_img
spot_img
- Advertisement -

After examining 23 Android applications, Check Point Research (CPR) noticed mobile app developers potentially exposed the personal data of over 100 million users through a variety of misconfigurations of third party cloud services. Personal data included emails, chat messages, location, passwords and photos, which, in the hands of malicious actors could lead to fraud, identity-theft and service swipes.

  • CPR discovered publically available sensitive data from real-time databases in 13 Android applications, with the number of downloads that each app has ranging from 10,000 to 10 million
  • CPR found push notification and cloud storage keys embedded in a number of Android applications themselves
  • CPR provides examples of vulnerable applications: an astrology, taxi, logo-maker, screen recording and a fax app that left users and developers vulnerable to malicious actors

Modern cloud-based solutions have become the new standard in the mobile application development world. Services such as cloud-based storage, real-time databases, notification management, analytics, and more are simply a click away from being integrated into applications. Yet, developers often overlook the security aspect of these services, their configuration, and of course, their content.

CPR recently discovered that in the last few months, many application developers have left their data and millions of users’ private information exposed by not following best practices when configuring and integrating third party cloud-services into their applications. The misconfiguration put users’ personal data and developers’ internal resources, such as access to update mechanisms, storage and more, at risk.

Misconfiguring Real-Time Databases: Real-time databases allow application developers to store data on the cloud, making sure it is synchronized in real-time to every connected client. This service solves one of the most encountered problems in application development, while making sure that the database is supported for all client platforms. However, what happens if the developers behind the application do not configure their real-time database with a simple and basic feature like authentication?

This misconfiguration of real-time databases is not new, and continues to be widely common, affecting millions of users. All CPR researchers had to do was attempt to access the data. There was nothing in place to stop the unauthorized access from happening.

While investigating the content on the publically available database, we were able to recover a lot of sensitive information including email addresses, passwords, private chats, device location, user identifiers, and more. If a malicious actor gains access to this data, it could potentially lead to service-swipes (ie. trying to use the same username-password combination on other services), fraud, and/ or identity-theft.

CPR researchers found that Astro Guru, a popular astrology, horoscope and palmistry app with over 10 million downloads, has this misconfiguration. After users input their personal information such as their name, date of birth, gender, location, email and payment details, Astro Guru provides them a personal astrology and horoscope prediction report. Imagine exposing sensitive data for a horoscope prediction!

- Advertisement -
spot_img
spot_img
spot_img
spot_img