Researchers found vulnerabilities within an Android application that could allow hackers to check users’ browsing history.
According to a Cybernews report, the android application Web Explorer – Fast Internet left an open instance, creating an opening to expose a trove of users’ browsing activity to unauthorized actors. The app opens a Firebase instance as default, which could be used to see the browsing history of 5 million users.
The app currently has over 58,000 reviews, and five million installs and claims to increase the browning speed on mobile devices by 30%. It provides various offer functions to improve the overall browsing experience.
The app also offers a default Firebase platform, where users can check analytics to their browsing and even store data on the app’s cloud storage platform.
Since the app uses an open Firebase instance, it instantly allows holding data of several dates. This data includes the user ID, country of the user, redirect originating address, turn destination address, and user country, all supplied.
How the Android app information can be exploited
Despite a critical flaw, more than the mere availability of the data would be required to initiate large-scale attacks. According to the researchers, for threat actors to use the information on users on the app, they would need to find the data points where the app developers are keeping the data of its users.
However, using different mechanisms, cross-referencing, and filtering of data could lead to the revealing of the app users’ information, which could be detrimental to the five million users who have installed the app on their mobile devices.
Moreover, the app also stores the Google API key and Google API id that could further be used to authenticate the app for devices.
At the time of writing, the open Firebase instance has been closed by the developers and is no longer accessible to threat actors. However, the Google Play store reveals that the app has not been updated since October 28, 2020, and it is believed that hardcoded secrets are still present on the app.