- Cybernews discovered three misconfigured photo ID apps that leaked sensitive user data through exposed Firebase instances.
- Breach of emails, usernames, profile photos, GPS coordinates and notification tokens exposed, affecting approximately 152,000 users
- Hackers have already accessed open databases; developers remain unresponsive despite repeated contact attempts
Several mobile applications for identifying objects in photographs leaked very sensitive information on the Internet, and hackers managed to recover it.
All three apps had misconfigured Firebase instances, resulting in insufficient authentication and access controls. The data was in an open database and included people’s email addresses, usernames (often including full names), Firebase Cloud Messaging (FCM) notification tokens, profile photos, and GPS coordinates.
You will notice that not all users of the applications were compromised. This is likely due to optional features relying on poorly configured Firebase instances. It is therefore possible that only people who activated certain extras were compromised.
Hackers spotted them
According to Cybernews, the three apps that leaked data were:
- Dog Breed Identification Photo Camera (500,000 downloads, 66,182 users affected)
- Spider Identify by Photo application (500,000 downloads, 40,779 users affected)
- Insect Identifier by Photo Cam (1M downloads, 45,005 users affected)
Most data could be used maliciously for phishing and identity theft, but GPS coordinates make this breach even worse because they can reveal where people live, where they go to work, and what their daily habits are.
Cybernews researchers said they found a proof-of-concept entry in the databases, which is a “common marker left by automated bots that scan the Internet for insecure databases.” In other words, the hackers have already found the files.
“The number of app installs is important. It is a common metric that users rely on to gauge app popularity, which is also a trust factor,” the Cybernews research team said. “These data leaks show that it is not enough to rely solely on the popularity of an application to assess its security.”
Unfortunately, the researchers were unable to get in touch with the developers of the apps, despite numerous attempts to contact them.
Via Cybernews
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
