For the privacy savvy, generating adult content online is rarely a good idea. For example, Apple App Store’s Novel AI: Book Creator leaked its Firebase database, revealing that its users generated far spicier stuff than your average ghost story.
- Novel AI: Book Creator exposed user-generated stories and other personal data
- Some of the leaked stories were NSFW
- Attackers could exploit the leaked info for sextortion and blackmail
- Cybernews has contacted the app’s developers but has received no reply
We, the users, often put too much trust in app makers and their concern about our privacy. Take the iOS app Novel AI: Book Creator. According to the Cybernews research team, the app was leaking user data due to a security rule misconfiguration.
The app, which has nearly 2,000 ratings on the App Store in the US, allows users to generate their own stories using artificial intelligence (AI). However, a security misconfiguration made these stories publicly accessible. Moreover, interactions with customer support and email addresses have also been exposed.
The only silver lining is that AI prompts themselves were anonymized, which means that threat actors could only know which stories were generated by the same user, without any personal data attached. Or, in other words, they’d need to put in more effort to discover which story was made by whom.
Worryingly, though, the exposed data has been accessible for over a month now despite multiple attempts to contact the apps’ developers. We have reached out to the people behind Novel AI: Book Creator for comment and will update the article once we receive a reply.
“The data leaked included communications with customer support, personally identifiable information such as email addresses, and leaked user-generated stories. Some user-generated stories included adult content,” Aras Nazarovas, Information security researcher at Cybernews, observed.
“The data leaked included communications with customer support, personally identifiable information such as email addresses, and leaked user-generated stories. Some user-generated stories included adult content,”
Aras Nazarovas, Information security researcher at Cybernews.
What data did the iOS app leak?
The data was leaked via a Firebase database, which serves as a staging ground for data that gets synced with a permanent storage system once it reaches a certain threshold. According to the team, the exposed instance leaked private details such as:
- User interactions with customer support
- User email addresses
- Stories users generated with AI‘s help
As previously indicated, user stories were only paired with user IDs, not names, but attackers could still add the two. According to our researchers, attackers could determine which user created a certain story if, for example, the user left feedback or a customer support query in the app.
Meanwhile, the team noted that some users would likely want to avoid anyone knowing they prompted AI with certain queries as at least some of the stories were heavily sexual.
“Leaking this type of content becomes much more sensitive, as it may reveal embarrassing, or socially unacceptable preferences and threat actors can exploit such information for blackmail or sextortion,”
Nazarovas explained.
“Leaking this type of content becomes much more sensitive, as it may reveal embarrassing, or socially unacceptable preferences and threat actors can exploit such information for blackmail or sextortion,” Nazarovas explained.
The team believes that attackers could utilize the leak to set up data scrapers, constantly downloading sensitive data from the exposed Firebase instance. Moreover, cybercrooks could gain real-time access to new data such as submitted AI prompts, and submitted customer support queries, including email addresses.
At the time the investigation was conducted, the Firebase instance was leaking around 400 customer support emails with email addresses, as well as 55,000 user-generated stories. However, Firebase serves as a temporary database, which means that the actual number of data stored by the service could be much higher.
iOS app secrets revealed
Leaking sensitive user details was not the only data the leaky Firebase instance exposed. Numerous app secrets on the client side of the application were exposed, including keys and IDs:
- API Key
- Client ID
- Database URL
- Google App ID
- Project ID
- Reversed Client ID
- Storage Bucket
- Facebook App ID
- Facebook Client Token
Leaving API keys and database URLs accessible heightens security risks. Attackers could decompile the app and discover leaked credentials to access backend services, potentially bypassing the app’s security controls. As a result, numerous issues like unauthorized data access, account takeovers, or complete database breaches could occur.
Additionally, API keys can have extensive permissions, which attackers can exploit to modify or exfiltrate sensitive user data. Meanwhile, social media credentials like Facebook App ID could enable malicious actors to carry out impersonation attacks.
How do you fix leaky apps?
Researchers believe that to effectively mitigate the issue it’s best to focus on Firebase instances and hardcoded secrets separately. To fix Firebase-related issues, the team advised to:
- Make use of appropriate Firebase security rules, in order to make sure only authorized and authenticated users and services can access the data stored within.
“The Firebase instance used by the app was exposed and publicly accessible, allowing threat actors to connect to the database and “scrape” it in real-time, gaining access to information about any actions made by their users including access to customer support communications and user-supplied AI prompts,” our researchers said.
Meanwhile, to prevent apps’ secrets from falling into the wrong hands, the team advised to:
- Remove sensitive Secrets from the client side of the application, and place them on the server side of the application, proxying traffic through your own infrastructure to third-party services used by the app.
“Hardcoded secrets allow threat actors to enumerate infrastructure used by the app, if any authentication secrets are present, it may also allow threat actors to abuse the affected services in order to harvest user data or use the services for their own, unauthorized purposes,” Nazarovas explained.
Many iOS apps are leaking secrets
Novel AI: Book Creator is hardly the first iOS app to suffer from leaky secrets. The team has recently discovered numerous apps with devastating security issues. For example, numerous BDSM, LGBTQ+, and sugar dating apps have been found exposing users' private images, with some of them even leaking photos shared in private messages.
In other cases, our researchers discovered that apps meant to track family members or secretly store sensitive data were leaking troves of sensitive data.
The recent leak was uncovered during a large-scale investigation – Cybernews researchers downloaded 156,000 iOS apps, around 8% of all apps on the Apple Store, discovering that developers leave plaintext credentials in the application code accessible to anyone.
The findings revealed that 71% of the apps analyzed leak at least one secret, with an average app's code exposing 5.2 secrets.
- Leak discovered: January 7th, 2025
- Initial disclosure: January 15th, 2025
- CERT contacted: February 12th, 2025
Your email address will not be published. Required fields are markedmarked