More than 4M PHI Records Exposed by Firebase Mobile App Vulnerability

mobile app vulnerabilityA mobile app vulnerability in Google Firebase is exposing protected health information (PHI) and other sensitive data.

Mobile app security firm Appthority found more than 2,300 unsecured Firebase databases and 3,000 iOS and Android apps with this security flaw.

Users have downloaded Android versions of these apps more than 620 million times.

The mobile app vulnerability exposed more than four million PHI records, such as chat messages and prescription details.

All told, the vulnerability exposed more than 100 million sensitive records, including 2.6 million plain text passwords and user IDs, 25 million GPS location records, and 50,000 financial records.

Firebase is a backend database technology for mobile apps, but it does not secure user data by default, explained Appthority.

Developers must secure all tables and rows of data to avoid data leaks. Attackers can easily find open Firebase app databases and gain access to millions of private mobile data app records.

Firebase Wears HospitalGown

The Firebase data exposure is a new variant of HospitalGown that occurs when mobile app developers fail to require authentication to a Google Firebase cloud database.

HospitalGown exposes an enterprise to Big Data exfiltration, leakage of personally identifiable information, and data theft.

Apps suffering from the HospitalGown flaw are doing what they are supposed to do. They don’t compromise the device and aren’t being attacked.

These apps are available on reputable sites like Google Play and the Apple App Store. Apps with this mobile app vulnerability likely pass all mobile app reputation tests.

Massive amounts of data come from these apps. In total, Appthority found the HospitalGown vulnerability exposed almost 43 terabytes of data and affected 1,000 apps.

A thousand apps leak terabytes of data, all due to simple human error: failure to secure the backend data stores.