>
A relatively popular Android voice chat app was found leaking sensitive user data, and anyone who knew where to look could access it.
The OyeTalk app leveraged Google’s Firebase mobile application development platform, which also offers cloud-hosted databases. According to Cybernews researchers, the Firebase instance of OyeTalk was not password-protected, meaning its content was publicly visible.
The content, the researchers further explained, included people’s usernames, unencrypted chats and IMEI numbers. The latter is a bit more concerning as IMEI can be used by threat actors (as well as law enforcement) to identify (opens in new tab) the device and its rightful owner.
Irreversible damage
“Spilling IMEI numbers on every message sent is a huge invasion of privacy, as the message is permanently tied to a specific device and its owner at the time,” the researchers said. “Threats could abuse it to impose ransoms.”
The database was about 500MB in size, meaning potential attackers could have easily downloaded or deleted it – the latter scenario meaning there was a possibility of permanent loss of users’ private messages.
In addition to sensitive user data, the app also leaked secrets such as API keys and Google storage buckets, as they were allegedly hardcoded in the client side of the app. To Cybernews researchers, this is “sloppy” work by the developers, as hard-coding sensitive data into the client side of an Android app like this “is insecure because in most cases it is easily accessible through reverse engineering.”
“In the past, this shoddy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems,” the researchers warned.
Even after being made aware of the open database, the developers did nothing, Cybernews said, but thankfully Google’s security measures managed to shut down the instance.
Through: Cyber news (opens in new tab)