The Android app Web Explorer – Fast Internet left an open instance, exposing a trove of sensitive data that malicious actors could use to check specific users’ browsing history.
A browsing app for Android devices, Web Explorer – Fast Internet, left open its Firebase instance, exposing app and user data, the Cybernews research team has discovered.
Firebase is a mobile application development platform that offers many features, including analytics, hosting, and real-time cloud storage.
Web Explorer – Fast Internet is a browsing app with over five million downloads on the Google Play store. It boasts of increasing browsing speed by 30% and has a user rating average of 4.4 out of five stars, across more than 58,000 reviews.
De-anonymize users
According to the team, the open Firebase instance contained days’ worth of redirect data, presented by user ID. This included country, redirect initiating address, redirect destination address, and user country.
“If threat actors could de-anonymize the app’s users, they would be able to check a bunch of information on browsing history for a specific user and use it for extortion,” Cybernews researchers said.
However, getting their hands on the data that Web Explorer – Fast Internet left exposed would not be enough by itself. A threat actor would also have to seek out where app developers store additional user data. That said, cross-referencing the leaked data with additional details could amplify any damage done to the app’s users.
Keys and IDs
The team also discovered that the app had hardcoded sensitive information on the client side of the application. Hardcoding sensitive information, commonly known as “secrets,” is considered a bad practice as threat actors could extract it for malicious use.
Web Explorer – Fast Internet had a hardcoded firebase_database_url key that points to a database with anonymized partial user browsing history, default_web_client_id, a unique public identifier dispatched for an application using Firebase, gcm_defaultSenderId, a key enabling cross-server communication.
“If threat actors could de-anonymize the app’s users, they would be able to check a bunch of information on browsing history for a specific user and use it for extortion.”
Cybernews researchers said.
The app also held google_api_key and google_api_id, both used for authentication purposes. API Key and app ID are used to identify a verified Google app to access Google API services.
Additionally, the team found google_crash_reporting_key and google_storage_bucket key hardcoded in the app. The first key is not considered too sensitive, but threat actors can still exploit it to impact user experience. For example, they could issue mock requests, disrupting the app’s crash-reporting and negatively affecting performance.
Meanwhile, leaving the google_storage_bucket_key hardcoded in the app allows threat actors to read and write any information on the dedicated bucket in the Google Cloud Service (GCS) if the bucket lacks authorization setup. Even though the team did not check whether the bucket was publicly accessible, it is still a misconfiguration case that could lead to sensitive user details being further exposed.
Partly resolved
The team reached out to Web Explorer – Fast Internet upon discovering the open instance but had not received a reply at the time of publishing. However, the open Firebase instance has been closed and is no longer accessible.
According to the team, with the instance closed, threat actors can no longer access sensitive redirect data, which, with additional effort, could have allowed them to de-anonymize Web Explorer – Fast Internet users’ browsing activity.
Data on the Google Play store indicates that the app was last updated on October 28, 2020, meaning that hardcoded secrets are still there.
“Since the problem is now only partially solved and we received no response from the app developers, we can only guess what other information could be leaking through the application’s secrets,” the Cybernews research team said.
Your email address will not be published. Required fields are markedmarked