Mosbeau, a shopping app specializing in beauty products, has exposed the data of its customers, leaving their names, IDs, and chats with support agents for anyone to access.
Mosbeau is a Japanese brand marketing itself as a “skin whitening and anti-aging expert.” It sells cosmetics for the face and body, as well as supplements that promise to boost the immune system and bestow “ageless beauty” upon users.
To promote its products and earn loyal customers, Mosbeau also operates an app for both iPhone and Android users.
But research by Cybernews has discovered that the company’s Android app, which currently has a 3.9 (out of 5) star rating based on over 700 reviews, was leaking customer data.
"Since the Firebase was left open to public access without any authorization, a threat actor could have either completely wiped it out or used it for phishing or other malicious purposes,"the Cybernews research team said.
Cybernews research of over 33,000 Android apps earlier this year led to the discovery of more than 14,000 Firebase URLs on the front end of an Android app. Over 600 were links to open Firebase instances.
This means that by analyzing the app's public information, a threat actor could gain access to its open database and, therefore, user data.
Moesbeau was one of the apps that left an open database, exposing user data in this way.
According to the Cybernews researchers, the 85MB-strong dataset consisted of customer support data – user names, IDs, chats, and timestamps when users were last seen online.
Cybernews researchers consider the database significant, given its size relative to the number of downloads the app has – just 10,000 on the Google Play store.
"Since the Firebase was left open to public access without any authorization, a threat actor could have either completely wiped it out or used it for phishing or other malicious purposes," the Cybernews research team said.
We have contacted the app developer, and the Firebase instance was closed from public access.
The app also included other sensitive information hard-coded into the client side of the app, including Google API (application programming interface) key and Google Storage bucket address.
"The data leaked was not as sensitive as passwords. However, it included some personal information shared during customer-support procedures in the messages themselves that were exposed to public access," Cybernews said.
Mosbeau hasn't responded to our email to provide additional information on how long the dataset has been exposed and whether threat actors could use the hardcoded secrets to expose data.
Leaky Android Apps
When analyzing the Android apps, our researchers found more than 124,000 strings potentially leaking sensitive data.
They discovered 22 unique types of secrets, with various API keys, open Firebase dataset URLs, and links to Google Storage buckets being the most sensitive.
The most hardcoded secrets were found in apps within these five categories: health and fitness, education, tools, lifestyle, and business.
“Hardcoding sensitive data into the client-side of an Android app is a bad idea,” said the Cybernews research team. “In most cases, it can be easily accessed through reverse-engineering.”
More from Cybernews:
Subscribe to our newsletter