Image courtesy: fierce telecom
Mobile applications are presented user data including emails, chat messages, location, and passwords.Security researchers have discovered 23 Android applications that exposed more than 100 million personal data of users via various misconfigurations of third-party services in the cloud.
According to CheckPoint Research, revealed data from Android apps includes emails, chat messages, location, passwords, and photos. Investigators said it left users exposed to fraud, identity theft and service (using the same combination of username and password in other services).
There are 10,000 to 10 million downloads for these 13 Android apps:
The first problem the researchers discovered was the misconfiguration of real-time database developers that were used to store data in the cloud and sync with connected users. In 13 Android applications, the number of downloads ranging from 10 thousand to 10 million, there was no authentication to prevent hackers from retrieving these databases containing email addresses, passwords, private chats, device locations , user identifiers and more.
The user’s personal data was also easily accessible:
With more than 50,000 downloads, researchers could access chat messages between drivers and passengers. They could also access the user’s full names, phone numbers, and their locations (destinations and picks) by sending a single request to the database. Most automatic notification services require a key or sometimes passwords to recognize the identity of the sender of the request. When these keys are incorporated into the application’s own file, it becomes easy for hackers to gain control and gain the ability to send these notifications, which may contain unpleasant links or content for users in favor of the developer.
The third problem occurred in cloud storage. In one application, researchers could access the cloud storage keys that are built into the application and all stored fax transmissions. According to the researchers, just by analyzing the application, a malicious actor could have access to each and every document sent by the 5 lakh users who downloaded this application. According to researchers, they have addressed Google and each application developer before publishing their research to share their results. The researchers said only a few of the apps have changed their settings since
image courtesy: CloudPassage
The third problem occurred in cloud storage. In one application, researchers could access the cloud storage keys that are built into the application and all stored fax transmissions. According to the researchers, just by analyzing the application, a malicious actor could access any of the files and documents sent by the 5 lakh users who downloaded the same application. Apparently, Google and all app developers have been addressed in response to this issue to share their findings. The researchers said only a few of the apps have changed their settings since then