In a shocking revelation, recent research almost a week ago has uncovered a significant security lapse affecting over 900 websites. This misconfiguration of security rules exposed a staggering 125 million user records, including sensitive information such as plaintext passwords and billing details. The breach was discovered through a scan of the internet, specifically was targeting misconfigured Firebase instances. In this post, we delve into the details of the research, the methods employed, and also the alarming consequences of this widespread data breach.
The Research Methodology
The researchers scanned the entire internet for exposed personally identifiable information (PII) that could be resulted from misconfigured Firebase instances. In the beginning, a Python scanner was employed. However, due to memory limitations arising from the use of approximately 500 threads, this approach wasn’t practical. For that reason, the researchers switched to Go-based scanning, which was expected to be completed within 11 days but the scanning process took nearly 2 to 3 weeks and yielded valuable results.
Scope of the Data Breach
The resulting file from the scan contained a huge list of over 550,000 lines that include 136 sites and approximately 6.2 million records. And due to this huge volume of data, manual review became necessary to identify specific misconfigurations effectively. To quicken the process, the researchers compiled a shortlist of potentially affected websites and developed a specialized scanner named “Catalyst.” This scanner focused on detecting read access to common Firebase collections and other pertinent information mentioned within associated .js bundles.
Understanding the Impact
After successful read access, the Catalyst scanner also gauged the impact of the exposed data, and to accomplish this, a sample of 100 records was collected from each misconfigured Firebase instance. The researchers carefully formatted and stored this information in a PostgreSQL database called Supabase. The resulting database contained a shocking 125 million records which involve 84 million names, 106 million email addresses, 33 million phone numbers, 20 million passwords, and 27 million billing details and also including bank information and invoices.
Aftermath and Mitigation Efforts
After the extensive investigation, many key statistics emerged. The researchers sent out 842 emails to notify affected individuals, with 715 (85%) successfully delivered. Additionally, 75 (9%) of the emails bounced back which indicated potential issues with the recipients’ email addresses. As part of the disclosure process, the researchers reported 200 misconfigurations, leading to swift fixes by the affected websites. Furthermore, eight individuals responded to the notification emails, and also two big bug bounties were offered to incentivize the researches of these disclosed security vulnerabilities.
Unusual Encounters and Further Findings
In an interesting turn of such events, one of the support representatives from a gambling website attempted to flirt with the researchers while they were reporting the security issue. This incident highlights the varied experiences encountered during the investigative process and underscores the importance of maintaining a professional approach in such circumstances. Also, the researchers uncovered an evidence which could prove that certain gambling websites were rigged, offering users a 0% chance of winning in spins, that aggravated the security concerns associated with these platforms.
