Unprotected in the cloud:
Cloud platforms have changed the way developers work and have become a standard in application development. When writing the code, developers invest many resources to protect an application against various forms of attacks. However, there are times when developers neglect to properly configure cloud databases and thus leave real-time databases unprotected, which can lead to catastrophic breach if it is exploited.
Developers often manually change the default locked and secured configurations of security rules to conduct testing. Suppose the application is left unlocked and unprotected before releasing to production. In that case, the database is open to anyone who accesses it and is vulnerable to reading and writing to the database.
Security researchers from Check Point Research (CPR), the specialist division of Check Point Software Technologies, found 2113 mobile applications using Google Firebase over three months and made their way to VirusTotal, leaving victims vulnerable and easily accessible to hackers were. The information disclosed includes chat messages in popular gaming apps, family photos, data from healthcare applications, data from cryptocurrency exchange platforms, and much more.
Cloud platforms have changed the way developers work and have become a standard in application development. When writing code, developers invest a lot of effort to protect an application against various attacks. However, there may be times when developers neglect to configure cloud databases properly, leaving real-time databases unprotected, leading to a data security disaster. Developers often manually change the default locked and secured configurations of security rules to conduct testing. If the application is left open and unprotected before being released to production, the database is accessible to anyone who wants to access it. It is therefore vulnerable to read and write access.
Although cloud misconfigurations are considered the least sophisticated type of cloud exploits, they cost companies across all industries tens of millions. Buckets sometimes remain open for months or even years before being reported. With sophisticated attacks becoming more prevalent in today’s threat landscape, organizations cannot afford to have a poor security strategy.
CPR has now found a significant number of unprotected databases. This search showed all applications communicating with Firebase services. Researchers verified that access to the database was set to read by accessing the /.json URL. Here is an example URL: <DB_name>.firebaseio.com/.json. All databases with sensitive data disclosed here should normally not be accessible. Next, they filtered with keywords like “token”, “password”, or “admin”, which led to many interesting results. Below are some examples that show the variety of data available.
In the example below, this e-commerce application had inadvertently disclosed its API gateway credentials and API keys. CPR could access this data without being confronted with any protective mechanisms. The application’s owner is an extensive shopping chain in South America.
It is not uncommon for an application under development to be uploaded to publicly accessible platforms such as VirusTotal. There are multiple reasons for this. For example, some developers check whether their application is classified as malicious, especially for invasive applications, and use sandboxing features. Or corporate security policies may automatically upload the application, sometimes without the developer’s knowledge. Of all Firebase applications uploaded to VirusTotal, more than 2000 applications, or five per cent, were left with exposed databases. Calculated every month, this has a fatal effect.
These databases are a goldmine for hackers as they allow them to read and write new values in the database. A hacker could potentially modify entries in the bucket and inject malicious content to infect users or delete the entire range. There have been several cases where ransomware groups exploited misconfigured cloud storage and demanded ransom payments after extracting and deleting databases left open. In another case, some hackers double-blackmailed the victims, threatening to report the company’s bad practices to the European Union’s GDPR authorities for not complying with data protection principles. Companies bound by the GDPR
The variety of possible attacks depends on the type of data disclosed. Possibilities range from fraud to identity theft to ransomware and even supply chain attacks.
Cloud misconfigurations are not a new problem, but they currently affect millions of users and potentially impact thousands of organizations and businesses. In May 2021, CPR discovered multiple misconfigurations in third-party cloud services for Android applications, leading to the disclosure of sensitive personal information of more than 100 million Android users and developers. Many vulnerabilities were the result of the improper configuration of real-time databases.
“With this research, we’re showing how easy it is to find datasets and critical assets that are accessible in the cloud to anyone who can access them with a simple search,” said Lotem Finkelstein, Head of Threat Intelligence and Research at Check Point Software Technologies, “and we’re showing a simple way hackers might be able to do this. The method is to search public file repositories, such as VirusTotal, for mobile applications that use cloud services. A hacker can query VirusTotal for the full path to a mobile application’s cloud backend. Everything we found is accessible to everyone. Ultimately, we prove how easy it is to commit a data breach or abuse with this investigation. The amount of data that is open and accessible to everyone in the cloud is crazy. It’s easier to break into the data than we all think.”