Read at your own risk: an iOS book app spilled your secrets

Last updated: 15 May 2025
my book list ios app leak
Image by Cybernews

Your next favorite read could cost you your privacy. An iOS book app just exposed 42,000 users’ personal data to hackers.

Your book list is serving hackers way more than your reading preferences. An iOS app named “My Book List - Library Manager,” pitches itself as a literary lifestyle upgrade. The organizer helps readers track their book hauls, connect with fellow bibliophiles, and gain insights into their reading habits.

However, while organizing paperbacks, it has also been quietly leaking user data. Researchers at Cybernews just uncovered that the app has been spilling sensitive user data of 42,000 users.

ADVERTISEMENT

The iOS app is developed by BigBalli Consulting LLC, a California-registered company. Cybernews has contacted the company multiple times, but received no response.

What iOS book app leaked?

  • Book lists
  • Names
  • Email addresses
  • IP addresses
  • Purchases
  • Device metadata

Why is your book list interesting to hackers?

When it comes to online privacy, you might think a few book titles here and there are harmless. But in reality, the leaked data from My Book List is a treasure trove for malicious actors, especially when it comes to phishing scams.

By combining names and emails with details from your book list or other personal data, attackers can create highly-targeted messages that make you more likely to fall for their trap.

Your book list might seem like a personal collection of your literary tastes, but to a hacker, it’s a roadmap to crafting the perfect scam.

ADVERTISEMENT

Imagine receiving an email that looks like it’s from your favorite online bookstore, or the book app itself recommending you a new release. The email might even feature a book you’ve recently added to your list or a similar title, making it seem perfectly legit. But in reality, it’s a phishing attempt designed to get you to click on a fake link, give up sensitive information, or download malware.

A leaked IP can help determine your approximate location, enabling scammers to craft localized phishing attempts. For example, an attacker might use your IP to spoof an email from a service you regularly use, appearing more legitimate because it seems to come from your area or region.

A scammer can also use leaked device metadata to craft attacks that seem tailored specifically to your usage patterns. If they know what device you use, what operating system you have, or what apps you regularly use, they can target you with more sophisticated attacks, like fake app updates or prompts to "verify" your device security.

The leak happened due to a Firebase misconfiguration. Firebase is meant to be a temporary storage space. When it fills up, it syncs with a permanent database, and older entries get wiped. So, what’s visible in the system right now is just the tip of the iceberg.

The real danger here is that hackers can set up scrapers that constantly monitor and suck down data from the Firebase instance in real-time.

Secrets up for grabs

To make matters worse, My Book List had a misconfigured database and stashed sensitive information, known as secrets, on the client side of the app.

What secrets did the iOS book app leak?

  • API Key
  • Client ID
  • Database URL
  • Google App ID
  • Project ID
  • Reversed Client ID
  • Storage Bucket
  • Facebook App ID
  • Facebook Client Token

The exposed secrets are some of the top 10 most leaked secrets among iOS apps. Cybersecurity experts warn that leaving API keys, credentials, and other sensitive information in the published app’s code – or, in other words, "hardcoding" them – is a dangerous practice, giving hackers easy access to the backend systems

ADVERTISEMENT

With secrets in hand, a threat actor could map out the app’s entire backend infrastructure, start abusing the app’s own services to harvest more user data, spin up fake requests, or even send spam directly through the app’s infrastructure, effectively weaponizing it from the inside.

vilius Gintaras Radauskas Paulina Okunyte Ernestas Naprys
Don’t miss our latest stories on Google News.
Google News Follow us

iOS apps are leaking data on a massive scale

The current leak was uncovered as part of an investigation by Cybernews, where researchers analyzed 156,000 iOS apps, roughly 8% of the entire App Store.

Researchers found something truly alarming: app developers are routinely hardcoding sensitive credentials directly into their app code, leaving them exposed to anyone. 71% of the analyzed apps leak at least one secret, with an average app's code exposing 5.2 secrets.

Some of the cases are extremely troublesome. Cybernews uncovered that several popular iOS dating apps were leaking hardcoded credentials which gave access to cloud storage buckets containing nearly 1.5 million user photos. Leaked data included deleted images, rule-breaking content, and private pictures sent through private messages.

In another case, an iPhone app designed to help families track each other’s locations was actually leaking real-time GPS coordinates to the open internet.

While an iPhone spam blocker meant to protect users from robocalls and malicious texts was leaking blocked numbers, keywords and customer support tickets with real names and emails.

Disclosure timeline:

Leak discovered: January 7th, 2025
Initial disclosure: January 15th, 2025
CERT contacted: February 13th, 2025

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Tech companies pivot to military gear as NATO wavers and Putin’s threats grow
Windows Snipping Tool is getting a GIF creation upgrade
Iran hacks security cameras to gain intel on Israel – media
Russia-linked attackers hit target with novel social engineering attack
VR’s role in stroke rehabilitation
Scientists believe that the “heavenly sounds” of electric cars come with a safety flaw
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked