Check Point Research have uncovered 23 Android applications misconfigured by third party services leaving data of 100 million users exposed.
- Data of 100 million users exposed due to misconfiguration of mobile app developers by third-party cloud services.
- The misconfiguration puts users’ data and developer’s internal resources, such as access to update mechanisms and storage, at risk.
- Check Point experts were able to access the backend databases of 13 apps, i.e. Astro Guru, Logo Maker, Screen Recorder, T’Leva, and iFax
Check Point Research have uncovered 23 Android applications misconfigured by third party services leaving data of 100 million users exposed.
The experts pointed out that the misconfiguration exposed the developer’s internal resources, such as access to update mechanisms and storage, at risk.
“This misconfiguration of real-time databases is not new, but to our surprise, the scope of the issue is still far too broad and affects millions of users.” reads the report disclosed by the experts. “While investigating the content on the publicly available database, we were able to recover a lot of sensitive information including email addresses, passwords, device location, private chats, user identifiers, and more. If a malicious actor gains access to this data, it could potentially result in service-swipes, fraud, and identity theft.”
Check Point experts were able to access the backend databases of 13 apps (i.e. Logo Maker, Astro Guru, Screen Recorder, T’Leva, and iFax) that were found to contain sensitive data such as email addresses, location coordinates, personal images, passwords, private chats, social media credentials, user identifiers, screen recordings.
The apps analyzed by Check Point exposed access keys that would have enabled attackers to send push notifications to all the users of the applications. For instance, push notifications are adopted to flag newly available content (like a new video posted), display chat messages, emails, and much more.
An app named “Screen Recorder”, with over 10 million downloads, is used to record the device’s screen and store the recordings on a cloud service. “While accessing screen recordings through the cloud is a convenient feature, there can be severe implications if the developers embed the secret and access keys to the same service that stores those recordings. With a fast analysis of the application file, we were able to recover the mentioned keys that grant access to each stored recording,” continues the report.
Below is the complete list of apps assessed by the experts, and the majority of them have more than 10 million installations on Google Play.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?