Top photo ID apps leak user data - over 150,000 thought to have been affected

News
By published

Database misconfigurations resulted in a huge data leak

Hands on a laptop with overlaid logos representing network security
(Image credit: Thapana Onphalai via Getty Images)
  • Cybernews found three misconfigured photo ID apps leaking sensitive user data via exposed Firebase instances
  • Breach exposed emails, usernames, profile photos, GPS coordinates, and notification tokens, affecting ~152K users
  • Hackers already accessed the open databases; developers remain unresponsive despite repeated contact attempts

Multiple mobile applications that identified objects in photographs were leaking highly sensitive information on the internet, and hackers managed to pick it up.

All three applications had misconfigured Firebase instances resulting in insufficient authentication and access controls. The data was sitting in an open database, and included people’s email addresses, usernames (often including full names), Firebase Cloud Messaging (FCM) notification tokens, profile photos, and GPS coordinates.

You will notice that not all users of the apps were compromised. This is likely due to optional features relying on the misconfigured Firebase instances, so it is possible that only people who enabled certain extras were compromised.

Hackers sniffed them out

According to Cybernews, the three apps found to be leaking data were:

  • Dog Breed Identifier Photo Cam (500K downloads, 66,182 users affected)
  • Spider Identifier App by Photo (500K downloads, 40,779 users affected)
  • Insect identifier by Photo Cam (1M downloads, 45,005 users affected)

Most of the data could be used maliciously for phishing and identity theft, but GPS coordinates make this breach even worse, since they can uncover where people live, where they go to work, and what their daily habits are.

Cybernews’ researchers said that they found a Proof-of-Concept entry in the databases, which is a “common marker left behind by automated bots that scan the internet for unsecured databases”. In other words - hackers already found the files.

“The number of app installs is significant. It's a common metric users rely on to gauge the app’s popularity, which is also a trust factor,” said the Cybernews research team. “These data leaks show that relying solely on an app's popularity to gauge its security is not enough.”

Unfortunately, the researchers could not get in touch with the apps’ developers, despite reaching out on numerous occasions.

Via Cybernews

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.