A popular barcode scanning app for Android contained a serious vulnerability that allowed anyone to easily gain access to a database full of sensitive data, as long as they knew where to look.
Cybernews reports this report about the flaw in the Barcode to Sheet app, which allows e-commerce users to scan a barcode on an item and generate data in a format readable by various spreadsheet apps.
It has over 100,000 downloads on the Google Play Store and an average rating of 4.5/5, making it relatively popular and trusted.
Different usage scenarios, all dangerous
The data generated by the scanner went to a Firebase database that, the researchers said, was unprotected. It contained more than 360 MB of data, including product information, reports, emails, user IDs, and user passwords. Some of the information was stored in plain text, while passwords were stored in the MD5 hash format. MD5 is pretty much obsolete as it is a broken hash algorithm and can be unlocked with basic programming knowledge.
But that's not all, as the database also contained sensitive data on the application's client side, with access keys and IDs in addition to web client IDs, Google API keys, Google app ID, crash reporting keys, and more.
“The leaked data is sensitive. It included not only the application's secrets, stored on the client side of the app, but also company and user information, including users' passwords,” the Cybernews team said.
This means the data can be used in a number of different attacks, ranging from simple phishing attacks to identity theft, ransomware deployment and more. Even the competition can use the data to understand their business landscape, identify their strengths and weaknesses, and ultimately gain an unfair advantage.
“Competitors can use the data for intellectual property espionage. One way to do that is by analyzing user preferences and checking what type of goods the company using the app has in stock,” the Cybernews team said.
The app's developers are said to be working on a fix and Ny Breaking has contacted them for comment.