100M Users Data Exposed via Third-Party Cloud Misconfigurations

  /     /     /  
Publicated : 23/11/2024   Category : security


100M Users Data Exposed via Third-Party Cloud Misconfigurations


Researchers who examined 23 Android apps report developers potentially exposed the data of more than 100 million people.



Mobile app developers have potentially exposed the data of more than 100 million users due to misconfigurations of third-party cloud services, report researchers who analyzed Android apps.
The Check Point Research (CPR) team examined 23 Android applications and found multiple kinds of misconfigurations that may have exposed emails, chat messages, location, passwords, and photos. These misconfigurations may have also put developers internal resources at risk.
In 13 of these applications, CPR found publicly available sensitive data from real-time databases that allow app developers to store data in the cloud and ensure its synchronized to connected clients in real time. Some real-time databases were not configured with authentication, so the team could access data like chats and passwords by simply sending a request to the database.
A popular taxi app with this misconfiguration has more than 50,000 downloads, researchers report. They were able to access chat messages between drivers and passengers, and retrieve users full names, phone numbers, and destination and pickup locations by sending a request.
The team also found push notification and cloud storage keys embedded in multiple Android apps themselves. Most push notification services require a key — sometimes multiple keys — to recognize the identity of who submitted a request. When those keys are embedded into the app file, its easy for attackers to take control and send potentially malicious notifications.
Cloud storage is another common problem. When analyzing the Screen Recorder app, which has more than 10 million downloads, researchers were able to recover keys that grant access to each recording. Another app called iFax both had cloud storage keys embedded into the app and stored all fax transmissions there, they report.
Researchers note they disclosed their findings to Google and each apps developer before they published their findings. Some of the apps have since updated their configuration.
Read the full 
Check Point blog post
 for more details.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
100M Users Data Exposed via Third-Party Cloud Misconfigurations