Thousands of mobile app cloud databases have been left exposed online

Unsecured databases put both consumers and businesses at risk

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Businesses continue to leave theircloud databasesunsecured online despite the risk of company data and even user data being exposed.

Following a three month study,Check Point Research(CPR) found 2,113 mobile applications whose databases were unprotected in the cloud and could be accessed by anyone with abrowser.

The mobile apps with exposed databases ranged from those with more than 10k downloads all the way to very popular apps with over 10m downloads. CPR found a wide variety of sensitive data from the apps in question including chat messages, personal photos, phone numbers, emails, user names, passwords and more.

Head of threat intelligence and research at Check Point Software, Lotem Finkelsteen explained how the firm’s security researchers were easily able to find these exposed databases using the free online toolVirusTotal, saying:

“In this research, we show how easy it is to locate data sets and critical resources that are open on the cloud to anyone who can simply get access to them by browsing. We share a simple method of how hackers can possibly do it. The methodology entails searching public file repositories like VirusTotal for mobile applications that use cloud services. A hacker can query VirusTotal for the full path to the cloud backend of a mobile application. We share a few examples of what we could find in there ourselves. Everything we found is available to anyone. Ultimately, with this research we prove how easy it is for a data breach or exploitation to occur. The amount of data that sits openly and that is available to anyone on the cloud is crazy. It is much easier to breach than we think.”

Mobile apps with exposed databases

In a newblog post, CPR provided several examples from its study without mentioning the names of the mobile apps that had left their cloud databases unsecured online.

The first app is for a large department store chain in South America which has been downloaded more than 10m times. By searching VirusTotal, CPR was able to find API gateway credentials and an API key. To make matters worse, these credentials were in plain text and anyone would be able to read them and use them to access the accounts of the department store’s customers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The next app is arunning tracker applicationdesigned to track and analyze a runner’s performance and it has been downloaded over 100k times. Its database contained users' GPS coordinates and other health parameters like their heart rates. With this information in hand, an attacker could create maps to track the whereabouts of the app’s users.

Sega left a huge database of user information open to hackers

Over half a million transportation industry credit reports were left unsecured online

These countries have the most exposed databases online

Next up, CPR found the exposed database of adating appfor people with disabilities. This database contained 50k private chat messages along with pictures of the senders. CPR also found the exposed database of a widely usedlogo makerapplication that has been downloaded more than 10m times. Inside the database there were 130k usernames, emails and passwords.

In addition to these apps, CPR also came across the unsecured databases of a popularPDF readeras well as abookkeepingapplication.

In the same way that security experts recommend that consumers protect their smartphones, tablets and laptops with strong and complex passwords, so too should businesses that use cloud databases to store data for their mobile apps.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption

Samsung plans record-breaking 400-layer NAND chip that could be key to breaking 200TB barrier for ultra large capacity AI hyperscaler SSDs

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)