One of the simplest and most damaging types of security incident occurs when developers fail to enforce authentication for the database or cloud instance that supports their mobile app. It has happened numerous times with unprotected Amazon S3 buckets exposing sensitive data, such as in the cases of Booz Allen Hamilton, Verizon and the Pentagon.
Research from mobile application security company Appthority Inc. -- now owned by Symantec -- demonstrated that this problem isn't restricted to just misconfigured Amazon infrastructure. The report detailed numerous exposed Google Firebase databases that support mobile apps and contain detailed user information.
Appthority discovered 2,300 unsecured Firebase instances, with a total of over 100 million user records exposed. This included highly sensitive data, such as personally identifiable information, health records and 2.6 million plaintext passwords. If this data had been compromised by hackers, it would have been highly damaging to the affected companies, both in terms of reputational damage and probable regulatory fines.
The difference between unsecured Firebase and AWS
A key difference between the data exposed by Amazon S3 buckets and these unsecured Firebase instances is that, while Amazon is secured by default and, therefore, has to be accidentally configured to expose data, Firebase is unsecured when it is first installed, and it requires developers to secure individual tables and rows.
While this isn't complicated and Google provides detailed documentation on how to configure Firebase securely, it shows that developers are not necessarily trained in security, or are not given the time in the development lifecycle to apply the correct security controls. This is a problem in most development, not just mobile apps. However, in this case, it is easier to inadvertently expose sensitive data because the developers use a cloud-based infrastructure.
The unsecured data is relatively easy for hackers to discover. There are tools such as Shodan that index the whole internet and permit a user to search for specific key terms, allowing anyone who knows the correct search terms to identify exposed instances. As the data is then exposed to anyone without requiring authentication to the database, any hacker targeting this type of vulnerability can gain access to the data without requiring a significant level of technical knowledge.
These unsecured Firebase databases demonstrate that even in the current age of heightened cybersecurity awareness, simple mistakes can expose sensitive data. While new complex vulnerabilities are continually being discovered, these are often not particularly exploitable in the real world and require significant effort or technical expertise.
Vulnerabilities such the unsecured Firebase instances, however, are trivially simple to exploit and, therefore, are far more likely to lead to a data breach of the affected organizations. It demonstrates why an investment in secure development skills and simply allowing time in the development lifecycle to ensure these types of vulnerabilities are identified and fixed before the data is exposed is essential to minimize the risk of an inadvertent data breach.