At least three mobile apps that recognised items in photos were leaking highly sensitive information online, and hackers had picked up on it. All three had misconfigured Firebase instances with insufficient authentication and access controls, leaving data in an open database. This data included email addresses, usernames (often including full names), Firebase Cloud Messaging (FCM) notification tokens, profile photos, and GPS coordinates.
You may have noticed that not all users of the apps were affected; this is probably because certain optional features were dependent on the misconfigured Firebase instances, so those who enabled certain extras may have been affected.
According to Cybernews, the three apps found leaking data were: Dog Breed Identifier Photo Cam (500K downloads, 66,182 users affected), Spider Identifier App by Photo (500K downloads, 40,779 users affected), and Insect identifier by Photo Cam (1M downloads, 45,005 users affected).
“While the leaked data does not appear to include passwords, the exposed information is still highly sensitive. Along with personally identifiable information (PII), the apps also leaked user locations, either by retrieving them from uploaded photos or by harvesting them through the apps’ permissions. Leaked GPS coordinates are especially sensitive. Location details from the apps might reveal where users live or their movement habits, which might be exploited by malicious actors,” the report stated.
This breach could be used for phishing and identity theft, and GPS coordinates make the breach even more dangerous, given the nature of the personal information that got leaked.
The researchers at Cybernews said they discovered a “Proof-of-Concept” entry in the databases, which is “a signature that automated bots leave behind to indicate they have found an unsecured database.” That is, hackers discovered the files.
“The number of app installs is significant. It’s a common metric users rely on to gauge the app’s popularity, which is also a trust factor. These data leaks show that relying solely on an app’s popularity to gauge its security is not enough,” the Cybernews research team said, as reported by TechRadar.