Android app with over 5m downloads leaked user browsing historySecurity Affairs | Saga Tech

The Android app Internet Explorer – Quick Web left an open occasion, exposing a trove of delicate information that malicious actors may use to examine particular customers’ shopping historical past.

Unique put up at https://cybernews.com/safety/android-app-leaked-user-browsing-history/

A shopping app for Android gadgets, Internet Explorer  Quick Web, left open its Firebase occasion, exposing app and person information, the Cybernews analysis workforce has found.

Firebase is a cell utility growth platform that provides many options, together with analytics, internet hosting, and real-time cloud storage.

Internet Explorer  Quick Web is a shopping app with over 5 million downloads on the Google Play retailer. It boasts of accelerating shopping velocity by 30% and has a person ranking common of 4.4 out of 5 stars, throughout greater than 58,000 evaluations.

De-anonymize customers

In response to the workforce, the open Firebase occasion contained days’ value of redirect information, offered by person ID. This included nation, redirect initiating deal with, redirect vacation spot deal with, and person nation.

“If menace actors may de-anonymize the app’s customers, they’d be capable of examine a bunch of data on shopping historical past for a selected person and use it for extortion,” Cybernews researchers stated.

Nonetheless, getting their palms on the information that Internet Explorer  Quick Web left uncovered wouldn’t be sufficient by itself. A menace actor would even have to hunt out the place app builders retailer further person information. That stated, cross-referencing the leaked information with further particulars may amplify any harm performed to the app’s customers.

Keys and IDs

The workforce additionally found that the app had hardcoded delicate info on the shopper aspect of the appliance. Hardcoding delicate info, generally referred to as “secrets and techniques,” is taken into account a nasty apply as menace actors may extract it for malicious use.

Internet Explorer  Quick Web had a hardcoded firebase_database_url key that factors to a database with anonymized partial person shopping historical past, default_web_client_id, a singular public identifier dispatched for an utility utilizing Firebase, gcm_defaultSenderId, a key enabling cross-server communication.

“If menace actors may de-anonymize the app’s customers, they’d be capable of examine a bunch of data on shopping historical past for a selected person and use it for extortion.”Cybernews researchers stated.

The app additionally held google_api_key and google_api_id, each used for authentication functions. API Key and app ID are used to establish a verified Google app to entry Google API companies.

Moreover, the workforce discovered google_crash_reporting_key and google_storage_bucket key hardcoded within the app. The primary key shouldn’t be thought-about too delicate, however menace actors can nonetheless exploit it to influence person expertise. For instance, they may difficulty mock requests, disrupting the app’s crash-reporting and negatively affecting efficiency.

In the meantime, leaving the google_storage_bucket_key hardcoded within the app permits menace actors to learn and write any info on the devoted bucket within the Google Cloud Service (GCS) if the bucket lacks authorization setup. Despite the fact that the workforce didn’t examine whether or not the bucket was publicly accessible, it’s nonetheless a misconfiguration case that would result in delicate person particulars being additional uncovered.

Is it solved now?

The workforce reached out to Internet Explorer however …. give a take a look at the

Unique put up at https://cybernews.com/safety/android-app-leaked-user-browsing-history/

In regards to the writer Vilius Petkauskas, Senior Journalist 

Comply with me on Twitter: @securityaffairs and Fb and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android app)















Android app with over 5m downloads leaked user browsing historySecurity Affairs

x