"Misconfigured Firebase Instances Expose 125 Million User Records"

Security researchers are warning that hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords.  The researchers were able to hack Chattr, the AI hiring system that serves multiple organizations in the US, including fast food chains such as Applebee's, Chick-fil-A, KFC, Subway, Taco Bell, and Wendy's.  The researchers noted that a weakness in Chattr's Firebase implementation allowed them to gain full privileges to the database by registering a new user.  They gained access to names, phone numbers, email addresses, plaintext passwords for some accounts, confidential messages, and more.  The impacted individuals, the researchers say, included employees, franchise managers, and job applicants.  The researchers stated that by creating a new administrative account, they could gain access to the admin dashboard, which provided more access to the system, including the option to refund payments.  An additional "ghost" mode was also discovered, providing access to billing information, full control over user accounts, and the option to hire people.  The researchers noted that Chattr addressed the issue on January 10, one day after the researchers reported it.  Next, the researchers set out to identify other web applications exposing sensitive information via misconfigured Firebase instances and found 900 websites exposing the information of 125 million users.  The researchers noted that the identified databases contained over 80 million names, over 100 million email addresses, more than 33 million phone numbers, and over 20 million passwords, along with more than 27 million billing info entries.  According to the researchers, however, the total number of exposed records could be much higher.  The researchers say they have tried to contact 842 websites, but only 85% of their emails got through.  One-quarter of the sites addressed the misconfiguration, and 1% emailed back.  However, only two site owners offered a bug bounty.

SecurityWeek reports: "Misconfigured Firebase Instances Expose 125 Million User Records"