Check Point Research found thousands of Firebase cloud databases that exposed chat messages in gaming apps, personal photos, token IDs in healthcare apps and data from cryptocurrency platforms.
One app discovered was from a large Dept Store in South America application (10+ Million Downloads) that had mistakenly exposed its API gateway credentials and API keys. CPR was able to access this data without facing any kind of protective mechanism. Other similar apps had their data exposed for all to see:
- Bookkeeping Application (1+ Million Downloads)
- Dating Application (10,000+ Downloads)
- Social Audio platform application (5+ Million Downloads)
- Running Tracker Application (100,000+ Downloads)
- Logo Design Application (10+ Million Downloads)
- PDF reader Application (500,000+ Downloads)
This is yet another example of how easy it is to steal API credentials and use them in modified apps or create scripts in order to steal personal data. Every organization which has customer-facing apps must have a mitigation plan in place for when secrets are stolen. One of the most effective approaches is to ensure that APIs can only be accessed by genuine apps running in safe environments. This kind of run-time shielding for mobile apps can easily be put in place to prevent this kind of breach and should be a priority for anyone deploying mobile apps.
APIs are everything in modern software. Processes talking to process is how most new software is constructed – and hackers know this. Many organizations have become better at watching their human accounts – but service accounts are still a problem for organizations. These must be reviewed and changed. Dynamic service accounts, the Zero Standing Privileges philosophy is also highly recommended for service account management.