A significant security lapse has been identified in the GST Invoice Billing Inventory app, a widely-used business accounting application for small and medium-sized enterprises. The app, which has amassed over 1 million downloads, inadvertently left a database unprotected, resulting in the exposure of sensitive personal and corporate data.
The GST Invoice Billing Inventory app, formerly known as Book Keeper, is among the numerous applications on the Google Play Store that have embedded sensitive data within the client-side code. This oversight allows malicious actors to access API keys, Google Storage buckets, and unsecured databases by merely analyzing publicly available app data.
Utilized by businesses for a variety of financial tasks, including invoicing, expense tracking, inventory management, and financial reporting, the app enjoys a high user rating. Despite this popularity, a grave concern has arisen due to the potential exploitation of the exposed data.
Research conducted by Cybernews, which scrutinized over 33,000 Android apps, led to the discovery of more than 14,000 Firebase URLs within the client-side code of Android applications. Among these, over 600 were found to be open Firebase instances, with GST Invoice Billing Inventory being one of the affected apps.
Firebase, a JSON database commonly used for Android app development, stores both public and private information related to an application and its users. The exposed dataset from the GST Invoice Billing Inventory app included user phone numbers, device types, emails, account creation dates, addresses, and details regarding premium app version purchases.
Moreover, corporate data such as names, emails, locations, invoice counts, turnovers, office addresses, bank and cash balances, and tokens were also part of the compromised dataset. Although the dataset’s size of 149MB may seem modest relative to the app’s user base, it translates to over seven million rows of sensitive business information, posing a significant risk if misused.
In addition to the open database, the app was found to be leaking other hard-coded secrets, including API keys and links to Google Storage Buckets, among other less sensitive data.
The implications of such data exposure are severe, with potential consequences including operational downtime, data loss, reputational damage, diminished consumer confidence, legal action, and ransomware attacks. Cybersecurity experts emphasize the importance of regular penetration testing by third parties and the need for ongoing maintenance and updates to prevent such vulnerabilities.
