Cat game on your iPhone is leaking your location

cat tower data leak — Image by Cybernews

The iOS game left nearly half a million users exposed to hackers who could track them, hijack their Facebook accounts, or even weaponize the app’s own backend.

Researchers at Cybernews have found that an iOS game “Cats Tower: The Cat Game!” has been exposing players' IPs and, in some cases, Facebook access tokens.

On Apple’s App Store, the app’s developer is listed as Rhino Games; however, their privacy policy links to a webpage belonging to Armenian mobile game developer Next Epic LLC.

Leaked data could let hackers track users' online footprints, hijack Facebook, and pinpoint their location. While IP addresses aren't GPS coordinates, they can still give a disturbingly close idea of where someone lives, especially when cross-referenced with other public or leaked data.

Some of the leaked information included Facebook user IDs and access tokens. While the quantity of Facebook data was smaller compared to the IP and username dump, exposing it is extremely dangerous.

These access tokens could let attackers slip into your Facebook account and start posting crypto scams or sending phishing links to your friends.

Cybernews has contacted the company multiple times, but received no response.

What was exposed by the iOS game app?

Usernames
IP addresses
Facebook IDs and access tokens
Hardcoded secrets

The app has been spilling sensitive user data thanks to a Firebase misconfiguration.

At the time of the investigation, the exposed Firebase instance was leaking the IP addresses and usernames of over 450,000 users, along with 229 Facebook user IDs and access token pairs.

Firebase is typically used as a temporary database. It gets flushed regularly as it syncs with a more permanent backend, meaning what was visible at the time could just be the tip of the iceberg.

A savvy threat actor could’ve set up a scraper to quietly monitor the database in real time, siphoning off fresh data as it appeared, turning a single leak into an ongoing surveillance operation.

iPhone game is leaking sensitive information

To make matters worse, the app's codebase was littered with other sensitive information, commonly known as secrets. They should never be visible to anyone outside the development team, especially left accessible to anyone on the internet.

List of secrets leaked by the iPhone game:

Client ID
Reversed Client ID
Android Client ID
API Key
Project ID
Storage Bucket
Google App ID
Database URL
GAD Application Identifier

The exposed secrets are some of the top 10 most leaked secrets among iOS apps.

Cybersecurity experts warn that leaving API keys, credentials, and other sensitive information in the published app’s code – or, in other words, "hardcoding" them – is a dangerous practice that could open the door to attackers.

With secrets in hand, a threat actor could map out the app’s entire backend infrastructure, abuse its own services to harvest more user data, spin up fake requests, or even send spam directly through the app’s infrastructure, effectively weaponizing it from the inside.

iOS applications can not hold secrets

The current leak was uncovered as part of an investigation by Cybernews, where researchers analyzed 156,000 iOS apps, roughly 8% of the entire App Store.

Researchers found something truly alarming: app developers are routinely hardcoding sensitive credentials directly into their app code, leaving them exposed. Worryingly, 71% of the analyzed apps leak at least one secret, with an average app's code exposing 5.2 secrets.

Some of the cases are extremely troublesome. Cybernews uncovered that several popular iOS dating apps were leaking hardcoded credentials, which gave access to cloud storage buckets containing nearly 1.5 million user photos. Leaked data included deleted images, rule-breaking content, and private pictures sent through private messages.

In another case, an iPhone app designed to help families track each other’s locations was actually leaking real-time GPS coordinates. In turn, an iPhone spam blocker meant to protect users from robocalls and malicious texts was leaking blocked numbers, keywords, and customer support tickets with real names and emails.