The Android Web Explorer – Fast Internet app left an instance open, exposing a wealth of sensitive data that malicious actors could use to verify the browsing history of specific users.
Original post at https://cybernews.com/security/android-app-leaked-user-browsing-history/
A navigation app for Android devices, Web Explorer – Fast internet, left its Firebase instance open, exposing app and user data, Cybernews research team found.
Firebase is a mobile application development platform that offers many features including real-time cloud analytics, hosting, and storage.
Web Explorer – Fast Internet is a browser app with over five million downloads on the Google Play Store. It boasts of increasing browsing speed by 30% and has an average rating of 4.4 stars out of five, based on over 58,000 reviews.
De-anonymize users
According to the team, the opened Firebase instance contained days of redirect data, presented by user ID. This included country, redirect initiating address, redirect destination address, and user country.
“If threat actors could anonymize app users, they could check a bunch of information about a specific user’s browsing history and use it for extortion,” the researchers said. from Cyber News.
However, getting hold of the data that Web Explorer – Fast internet left uncovered alone would not be enough. A threat actor should also investigate where app developers store additional user data. That said, cross-referencing leaked data with additional details could amplify any harm to app users.
Keys and credentials
The team also discovered that the application contained sensitive information hard-coded on the client side of the application. Hard-coding sensitive information, commonly referred to as “secrets”, is considered bad practice because hackers could extract it for malicious purposes.
Web Explorer – Fast Internet had a hard-coded firebase_database_url key that points to a database with anonymized partial user browsing history, default_web_client_id, a unique public identifier sent for an application using Firebase, gcm_defaultSenderId, a key allowing communication between servers.
“If threat actors could anonymize app users, they could check a bunch of information about a specific user’s browsing history and use it for extortion purposes.”said the Cybernews researchers.
The app also contained google_api_key and google_api_id, both used for authentication purposes. The API Key and Application ID are used to identify a Google application verified to access Google API services.
Additionally, the team found the google_crash_reporting_key and google_storage_bucket keys hard-coded into the application. The first key is not considered overly sensitive, but hackers can still exploit it to impact user experience. For example, they could issue bogus queries, disrupting the app’s crash report and negatively affecting performance.
Meanwhile, leaving the google_storage_bucket_key hardcoded in the application allows threat actors to read and write all information about the dedicated bucket in the Google Cloud Service (GCS) if the bucket has no configuration authorization. Even though the team did not verify if the bucket was publicly accessible, it is still a case of misconfiguration that could lead to the exposure of sensitive user details.
Is it resolved now?
The team contacted Web Explorer but…. take a look at the
Original post at https://cybernews.com/security/android-app-leaked-user-browsing-history/
About the Author Vilius Petkauskas, Senior Journalist
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(Security cases – hacking, android app)
Share on