A new flaw in apps that use Google technology potentially puts anyone at risk using cryptocurrency wallets or mobile exchange apps.
A study by security firm Security Discovery, revealed on Tuesday (12), shows that more than 4,000 applications expose user data, including more than one million passwords. The victims, therefore, are in the millions around the planet.
The problem is in a critical security bug in the Firebase platform, created by Google. The feature provides programmers with a number of ready-made tools to facilitate application development. The analysis took into account 15,735 Android apps, equivalent to 18% of all downloads from Google Play.
According to the survey, 4.8% of this amount has serious weaknesses that expose e-mails, user names, passwords, phone numbers, full names, chat messages and users’ location data.
For now, there is still no solution to the problem. The set of data exposed consists of:
- 18.3 million names
- 6.8 million messages
- More than 7 million emails
- About 4.4 million usernames
- Over a million passwords
- 5.3 million phone numbers
- 6.2 million GPS locations
- 156 thousand IP addresses
- More than 560 thousand physical addresses
Risk to wallet and exchange passwords
Firebase libraries are used by thousands of applications. The set includes both Android apps and other platforms, such as iOS and web platforms. The risk, therefore, drags on to almost anyone in the world with access to the internet.
It is not possible to know for sure which applications are affected. Firebase databases are often used in apps that have real-time information updates, such as exchanges. Users who usually trade via smartphone, therefore, are more likely to be exposed.
The big problem, moreover, is the ease of intercepting data. According to experts, they are indexed by the Bing search engine. That way, anyone could find sensitive information on the web. In possession of an email password and a phone number, for example, a criminal could reset the password for Coinbase, which uses two-step verification with a code sent by SMS.