Check Point Research (CPR) finds sensitive data of mobile applications unprotected and available to anyone with a browser. By searching “VirusTotal”, CPR found 2,113 mobile applications whose databases were unprotected in the cloud and exposed, all throughout the course of a three month research study.
The mobile applications ranged from 10,000+ downloads to 10,000,000+ downloads. Sensitive data found exposed by CPR included: personal family photos, token IDs on a healthcare applications, data from cryptocurrency exchange platforms and more. CPR provides several examples of applications whose data was found exposed. In one example, CPR found over 50,000 private messages exposed from a popular dating application. CPR warns of how easy a data breach can happen through the method outlined and what cloud security developers can do to better protect their applications. In order to prevent exploitations, CPR will not list the names of the mobile applications involved the research at this time.
- CPR gives six examples of mobile applications whose databases were left unprotected and exposed
- One application left 130,000 user names and emails exposed, another application left 80k company names, addresses, bank balances exposed
- CPR estimates that the databases of thousands of applications are left exposed each month
Check Point Research (CPR) found sensitive data of a number of mobile applications exposed and available to anyone with a browser. By searching “VirusTotal”, CPR found 2113 mobile applications whose databases were unprotected and exposed throughout the course of a three month research study. VirusTotal, a subsidiary of Google, is a free online tool that analyzes files and URLs to detect viruses, trojans, and other forms of malware.
The mobile applications ranged from 10,000+ downloads to 10,000,000+ downloads. Sensitive data found exposed by CPR included: chat messages in popular dating apps, personal family photos, token IDs on a healthcare applications, data from cryptocurrency exchange platforms and more. CPR is warning the public of how easy it is to locate data sets and critical resources of applications by querying public repositories, urging the industry to exercise better cloud security practices.
Methodology to Access
To access exposed databases, the methodology is simple:
- Look for mobile applications who communicate with cloud services on VirusTotal
- Filer the ones who have direct access to data
- Browse into the link received
Lotem Finkelsteen, Head of Threat Intelligence and Research at Check Point Software, said, “In this research, we show how easy it is to locate data sets and critical resources that are open on the cloud to anyone who can simply get access to them by browsing. We share a simple method of how hackers can possibly do it. The methodology entails searching public file repositories like VirusTotal for mobile applications that use cloud services. A hacker can query VirusTotal for the full path to the cloud backend of a mobile application. We share a few examples of what we could find in there ourselves. Everything we found is available to anyone. Ultimately, with this research we prove how easy it is for a data breach or exploitation to occur. The amount of data that sits openly and that is available to anyone on the cloud is crazy. It is much easier to breach than we think.”
How to Stay Safe:
Here are some tips to ensure your different cloud services are secure:
Amazon Web Services
AWS CloudGuard S3 Bucket Security
Specific rule: “Ensure S3 buckets are not publicly accessible” Rule ID: D9.AWS.NET.06
Google Cloud Platform
Ensure that Cloud Storage DB is not anonymously or publicly accessible Rule ID: D9.GCP.IAM.09
Microsoft Azure
Ensure default network access rule for Storage Accounts is set to deny Rule ID: D9.AZU.NET.24