In a recent discovery by Cybernews, the Android app Barcode to Sheet, boasting 100k+ Google Play downloads and a 4.5-star rating, has been found with an open instance, resulting in the exposure of sensitive user information and enterprise data.
The app, catering to e-commerce clients by facilitating barcode-to-spreadsheet data transfers, inadvertently left its Firebase database, containing 368MB of data, accessible to anyone. This Firebase database, a common storage service for app data, contained enterprise records and user information.
Sensitive enterprise data, encompassing product details, reports, emails, and user IDs, was found stored in plaintext, while user passwords were secured using the vulnerable MD5 hash format. Despite its intended security function, MD5 hashing is susceptible to exploitation without intricate programming knowledge.
Moreover, the open server exposed critical client-side information, including access keys and IDs. This encompassed the web client ID, Google API key, Google app ID, and crash reporting key, typically restricted to app developers.
Cybernews emphasized the gravity of the situation, stating, “The leaked data is sensitive, encompassing the app’s client-side secrets, enterprise, and user information, including user passwords.”
The exposure of such a substantial dataset for an app with a moderate user base raises concerns about potential dark web implications. Leaked personally identifiable information (PII), such as credit card and social security numbers, can be exploited by criminals, often available on the dark web for minimal prices, facilitating financial fraud and identity theft.