Cybersecurity Alert: Millions of Users Affected by Weak Firebase Implementations
A critical security lapse has exposed the personal information of millions of users due to misconfigured instances of Google Firebase, a popular development platform. Security researchers identified weaknesses that allowed unauthorized access to a staggering 125 million user records, including sensitive data such as names, phone numbers, email addresses, plaintext passwords, confidential messages, and even billing information.
The Breach at Chattr
The incident began with the investigation of Chattr, an AI-powered hiring system used by various US fast-food chains. Researchers discovered a vulnerability in Chattr’s Firebase implementation that granted them full access to the database simply by registering a new user. This access included names, phone numbers, email addresses, unencrypted passwords for some accounts, private messages, and more.
The exposed data potentially compromises employees, franchise managers, and even job applicants who used the Chattr platform. Researchers identified a method to create a new administrative account, granting access to the admin dashboard with functionalities like processing refunds. An even more concerning “ghost mode” was discovered, allowing complete control over user accounts, billing information, and even the ability to hire candidates.
Fortunately, Chattr addressed the issue promptly after researchers reported the vulnerability on January 10th, 2024.
Widespread Misconfiguration Exposes Millions More
The investigation into Chattr’s breach led researchers to a disturbing discovery: hundreds of other websites were similarly misconfigured, leaving user data vulnerable. They identified a total of 900 websites exposing a collective 125 million user records.
The exposed data included:
- Over 80 million names
- Over 100 million email addresses
- More than 33 million phone numbers
- Over 20 million passwords (in plain text!)
- Over 27 million billing information entries
Researchers believe the actual number of exposed records could be significantly higher.
Examples of Affected Websites
Several websites were identified as having significant data leaks due to misconfigured Firebase. Here are a few examples:
- Silid LMS: A learning management system exposing data on 27 million users.
- Lead Carrot: A cold calling lead generation tool exposing details of 22 million users.
- MyChefTool: A restaurant management and PoS application exposing names and emails of 14 million users.
- Online Gambling Network: A network of nine gambling websites exposing bank account details of approximately 8 million users.
Communication Challenges and Patching Efforts
The researchers attempted to contact 842 websites regarding their misconfigured Firebase instances. However, only 85% of their emails were successfully delivered. The response rate was even lower, with only a quarter of the contacted websites fixing the configuration issues. Disappointingly, just 1% responded via email, and only two offered a bug bounty for identifying the vulnerability.
What You Can Do to Protect Yourself
While this data breach highlights the importance of secure application development, there are also steps you can take to protect yourself:
- Change Passwords: If you have used any of the potentially affected websites, change your passwords immediately, especially if you used the same password on other platforms.
- Enable Two-Factor Authentication: Two-factor authentication adds an extra layer of security by requiring a second verification step when logging in.
- Be Wary of Phishing Attempts: Scammers may exploit this data breach by sending phishing emails pretending to be from the affected websites. Be cautious of any emails urging you to click on links or provide personal information.
By following these steps and remaining vigilant about online security practices, you can help minimize the risks associated with data breaches.
