900+ Websites Exposing 100M+ Accounts

New research has revealed that more than 900 websites had a serious misconfiguration, which exposed a massive 125 million user records, including plaintext passwords and sensitive billing information.

These results come after researchers scanned the entire internet for exposed PII through misconfigured Firebase instances.

Moreover, these were easy misconfigurations of security rules that had zero warnings.

This research was conducted with two methods: Python scanning and Go-based scanning for Firebase configuration variables on websites or associated .js bundles.

Misconfigured Firebase Instances

According to the reports shared with Cyber Security News, the researchers initially attempted the massive scan using a Python scanner.

However, this scanner was not feasible as it took a lot of memory due to the fact that Python programs with ~500 threads would consume a lot of memory.

After this, the researchers attempted the same scanning activity with Go, which was expected to be over in 11 days. Nevertheless, it took nearly 2 to 3 weeks for the entire scanning to complete, providing valuable results.

The resulting file had more than 550k lines with 136 sites and 6.2 million records, which required manual reviewing for misconfigurations.

To speed up the process, the researchers gathered a shortlist of potentially affected websites and created another scanner which has been named “Catalyst“.

This scanner checks for read access to common Firebase collections and any other things that could be explicitly mentioned in the .js bundles.

When it finds a successful read access, the scanner also calculates the impact of the exposed data by gathering a sample of 100 records from the misconfigured Firebase instance.

Furthermore, to have a complete and clear picture of the impact and information contained, the resulting data is formatted and put in a PostgreSQL database (Supabase).

The overall database accounted for nearly 125 million records with 84 million names, 106 million email addresses, 33 million phone numbers, 20 million passwords, and 27 million billing info, which includes bank details, invoices etc.,

Some of the sample sites that were affected include, 

• Silid LMS with 27 million affected users – Names, Emails and Phone Numbers.
• 9 Online Gambling websites with 8 million bank account details and 10 million plaintext passwords.
• Lead Carrot with 22 million affected users
• MyChefTool with 14 million exposed names and 13 million exposed emails.

The overall stats of the aftermath were 842 sent emails, 715 (85%) delivered emails, 75 (9%) bounced emails, 200 misconfigurations fixed, 8 reply emails and 2 bug bounties offered. 

As an interesting note, one of the gambling website support persons tried to flirt with the researchers when reporting this issue.

In addition, the researchers also mentioned that some of the gambling websites were rigged with 0% chance of winning in the Spins.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.