Cybernews cybersecurity researchers have found that RPG developers on Android Tap Busters: Bounty Hunters left their database publicly accessible, opening personal conversations of users.
In addition, the application developers harshly encoded confidential data in the client part of the application, which made it vulnerable to further data leaks.
TAP Busters: Bounty Hunters is a role -playing game in the standby mode, which was downloaded by more than 1 million people in the Google Play store, and the 4.5 stars rating are based on more than 45,000 reviews. Waiting mode is a game in which the player does not interact with the game during her work.
Researchers found that Tap Busters: Bounty Hunters leaks through unprotected access to Firebase, a Google mobile application development platform, which provides cloud database services. In the meantime, anyone could gain access to the database.
An unprotected set of data with a volume of 349 MB contains:
- ID of users;
- user names;
- Temporary marks;
- personal messages.
If the attacker simply deleted all the data, perhaps the personal messages of users would be irrevocably lost without the possibility of recovery.
Along with the open instance of Firebase, the developers left some confidential information – the secrets that are rigidly encoded on the side of the application client. The following keys were found:
- fir ebase_database_url;
- gcm_defaultSenderId;
- default_web_client_id;
- google_api_key;
- google_app_id;
- google_crash_reporting_api_key ;
- google_storage_bucket.
It is worth noting that the rigid coding of confidential data on the client side of the Android application is unsafe, since in most cases they can easily access them using reverse engineering.
The base is still open
The game developer is Tilting Point, which owns several other successful games with a large community of players. Some of these games downloaded more than 5 million times. The application developer was informed about the data leak, but could not close public access to the database.
The application developers did not answer Cybernews questions about the duration of public access to the copy or the possibility that attackers can use rigidly programmed secrets, which will lead to a leak of confidential data.
However, at the moment, there was so much data in the Firebase copy that receiving them all for one launch will be impossible for a hacker due to Google data, as a result of which the copy had too much useful load so that it could be affected by it .
In December, Cybernews experts found that the Web Explorer-Fast Internet Web Surfing application reveals the confidential data of users. Data disclosure occurred due to the fact that the developers left an open database of users on the Firebase platform.