security researchers Cybernews said that the popular application on Android For voice chats, Oyetalk kept unencrypted user chats in a database not protected by password.
oyetalk – an application for a voice chat with 5 million downloads on Google Play and a rating of 4.1 out of 5 stars based on 21,000 reviews – left its database open publicly accessible, opening personal data and user conversations.
Oyetalk users have flowed through unprotected access to Firebase, the Google mobile application development platform, which provides cloud database services. If the data had not been copied, and the attacker decided to delete it, it is possible that personal messages of users would be irrevocably lost without the possibility of recovery.
The open copy of Firebase provided more than 500 MB of data, including unencrypted user chats, user names and IMEI-number. Using IMEI, cybercupress can identify the device and its owner, and then extort the ransom from him.
Along with an open specimen of Firebase, the developers left some confidential information – the so -called secrets, rigidly encoded on the side of the client’s client, including Google API -key and google storage segments.
Hard coding of confidential data on the client side of the Android application is unsafe, since in most cases they can easily access them with reverse engineering.
The developers of the application were informed about the leak, but did not close public access to the database. However, Google closed the copy and added that the data set is too large for downloading at a time.
Cybernews investigation shows that the Oyetalk database was previously detected and marked as vulnerable for data leakage. The database contained certain digital prints used to label open -based Firebase.
According to experts, the hacker gained access to the open database and marked it as vulnerable. Such invasions demonstrate that the database does not have the proper authentication mechanism to view data and the proper authorization system for inserting or editing existing data.
In other words, if the database contains the email address of the administrator, then the attacker can change it to his own, and then restore the password through his email, using the “Forgot Password” function to gain access to the administrator’s account in the appendix.
oyetalk is not the only application that has such a situation. Earlier, Cybernews researchers have reported that the Web Explorer-Fast Internet Web Surfing Application and the Confidential Data View History through the open database on the Firebase platform.