With the adoption of cloud computing, developers are now able to cut costs when it comes to servers. Cloud computing can be more beneficial than on premise servers since companies only pay for what they need while a third party deals with the maintenance of the server (1). However, following a study done by Check Point Research, they were able to find over 2000 databases in Google Firebase alone that were left exposed and at risk (2).
Google Firebase is a cloud-hosted database mainly used for developing mobile and web apps. It utilizes Firebase Realtime Database which is an API that allows developers to push updates to application data across multiple platforms at the same time (3). Problems can arise when these databases are left misconfigured by developers.
VirusTotal is a tool where developers can upload URLs, IP addresses, domains, and files to check for data breaches and test how malicious something is. Submissions are shared to VirusTotal’s security community, which is comprised of people that work in the fields of antivirus, security, and malware. These people give their critiques and can vote on whether submitted files and URLs are malicious or not (5).
The Breach
Over the span of three months, Check Point Research utilized VirusTotal by searching for Firebase URLs. First, they skimmed VirusTotal for any URLs in Android application PacKages (APKs) that contained “.firebaseio.com”. Then they added “/.json” to the end of the URLs that they found in order to see if they were able to read them. Among the databases that they were able to read, they filtered for keywords, such as “password”, and were able to find many databases with sensitive user information (5). These databases ranged from applications for dating to healthcare applications.
Rest assured, the good people over at Check Point Research notified the companies after their discovery!
What Can be Done?
Make sure to lock up!
As hard of a mistake it seems to be, the 2000 compromised databases found by Check Point Research were either left in test mode, which allows for all reads and writes to your database, or had exposed credentials (2). By leaving your database in test mode, the not so good people (AKA attackers) can not just read sensitive information, but also write to your database. By writing in malicious code, the safety of your database and the users of your application can be compromised.
There is no denying the benefits and ease of use that comes with cloud computing. Many start-up companies can enter the market through the use of this technology. However, as we all know, no matter how great the security, the greatest point of weakness is often the user. With how fast technology evolves, it is easy to miss key steps in security one may not have had to be aware of before. Having cloud misconfigurations leaves the door open for attackers so it is critical that more awareness is brought to this issue and that the proper standards of practice are in place to guard against such issues from happening.
Sources:
- https://www.cleo.com/blog/knowledge-base-on-premise-vs-cloud
- https://www.darkreading.com/application-security/mobile-app-developers-leave-behind-2-100-open-databases
- https://en.wikipedia.org/wiki/Firebase
- https://www.virustotal.com/gui/home/search
- https://blog.checkpoint.com/2022/03/15/stop-neglecting-your-cloud-security-features-check-point-research-found-thousands-of-open-cloud-databases-exposing-data-in-the-wild/
Cloud computing is a topic a know very little about, but hearing about breaches doesn’t surprise me too much. It’s awful to think that a malicious attacker can just straight up rewrite your program if files are left exposed. I’m curious to see how many companies have switch to cloud computing since the COVID-19 pandemic has started. It makes sense for companies to switch if they have a large number of employees working from home. Don’t have a great computer, but need a lot of computing power to do your job? Just remote in to a server and you’re good to go! If, let’s say, a large number of companies did switch, I’d suspect that large influx in a short period of time would have to catch an attacker’s eye, I can’t imagine the transition (or setup) would go smoothly 100% of the time, creating vulnerabilities to any would-be attackers.
Thank you for sharing this topic. As an emerging technology in recent years, cloud computing has been used more and more frequently in various fields. It reduces operating costs for many companies, but also provides them with another possibility for data breaches. Improving the security of cloud computing may be the first problem to be solved in the next stage
Cloud storage service confirmation is convenient for users, but its risks are also difficult to ignore. We often see in movies that hackers simply use hard drives and other devices to store information because they know it’s more efficient to do so. The cloud storage software I used didn’t have a monthly fee, but when you refused to subscribe to their service, it deleted the amount that exceeded the storage limit. It’s hard to imagine if the files we save in the cloud are in a secure environment if the carrier has extreme access to this. Very good post!
I like how you mentioned that the greatest point of weakness is often the user. There are many times that people forget such a simple rationale when designing systems or new technology. Although the consideration might seem asinine, it can have reverberating consequences to all that use the system. I found the post to be very surprising because you would expect hackers to use complex tools to gain entry, whereas the flaw is in the design itself which made it easier for hacker to get a hold of sensitive information
I recently started learning more about cloud computing and also used Firebase for one of my personal project, and I can relate to the security issue that show up because, probably after 30 days of inactivity where you get to receive couple of emails and they probably don’t allow access to the database anymore. I was unaware of the fact that it was possible to actually breach this databases since they are operated by companies such as Alphabet for firebase. Thanks for this informative post!
I’d never thought about this type of thing before but by centralizing your data in a place that isn’t closed off from the rest of the internet I imagine there are inherently more risks involved. I’m very glad you brought this up because this is an important thing for people to know. It’s pretty impractical hosting your own files for some smaller organizations due to costs, I can even empathize with this by my using things like GitHub and Drive for group projects. Knowing risks is the first step to mitigating them, however, so I’m one step closer now! Great post!
Great read! We hear about data breaches all the time and it’s important to take safety measures as a user. I agree with you on the last part where you are saying the user needs to lock up in order for their own protection. A lot of blame goes on the companies when data breaches happen but the user also has to make sure they are educating themselves up to the latest safety standards so that attacks are minimized or at least not with great severity.
Its very easy to get too comfortable with these provided services and their ease of use because of the competence of the people making the service. However, I believe its an important mindset to keep for management when delegating crucial tasks such as setting up databases or computational logic servers that their entire company rests upon how these services are setup and controlled. Having seen a fair share of live databases, and even seen the backend admin privilege’s of some of these servers, it’s very intimidating with the sheer amount of control and fine tuning that these services provide, and that assigning someone incompetent to manage such things can very easily and very quickly spell disaster. Therefore in the future I do see the job market for database and cloud computing engineers and managers growing rapidly as more and more examples such as these arise showing how bad it can get if it goes wrong.
All and all, fantastic insight into this topic! Was fun to read about and think on.
Good Post! It is interesting (and quite amusing in a way) to see that over 2000 databases could have had their data breached simply because they left their database in test mode. It is a good thing that Check Point was able to notify these companies (hopefully preventing future breaches). Presumably, the companies owning these databases have their own security measures in place to stop data leaks from happening, and it would be an ironic shame if the data of these companies is leaked despite these measures, all because someone left the door open.
Nice post, databases should be stored very well because it holds privacy and information of many people who would not like their information to be on the loose, the third party also should secure that their data is secured safely and not just pay to think that their data is safe, when it comes to privacy, everyone should be accountable for it.
Good post! This definitely showcases the need for those providing cloud based storage to have good experience with security. It’s definitely more comforting when you have control over how secure your database is, but in addition to cutting the extra costs of maintenance, one should hope you’re able to find a cloud storage provider that has a better idea of security than you do. Good that the problem was resolved and the companies were notified right away!
I appreciate how you highlighted that the user is typically the greatest area of weakness. Many times, while creating systems or new technologies, individuals overlook such a basic explanation. Although the thought may appear absurd, it has the potential to have far-reaching effects for everyone who uses the system. I found the post unexpected because you would expect hackers to utilize sophisticated tools to get access, yet the weakness is in the architecture itself, making it easy for hackers to obtain sensitive data.
Interesting Post! That right It is the on-demand availability of computer services like servers, data storage, networking, databases, etc. The main purpose of cloud computing is to give access to data centers to many users. Users can also access data from a remote server. Examples of Cloud Computing Services: AWS, Azure, Google Cloud.
Great post! I hadn’t heard of cloud computing before – but it certainly sounds promising. I thought that your commentary was very insightful on how new technologies often miss security considerations as a result of developing quickly. Hopefully security improves as the technology gains more widespread use, whether that be through design changes or simply by developers becoming more accustomed to the technology (i.e., fewer people leaving databases in “test mode”).
Nice post! It’s interesting to see how easy it was to gain access to these databases, and yes of course the app devs should have made sure their databases were not in test mode, but it seems strange that anyone can access them without a password even in testing mode. Maybe Firebase should have a clear warning when a database is in testing mode, or encrypt the database behind a password.
Nice post! It is interesting that attackers would be able to gain access to private information without any sort of security measures in place. Even when the system is in test mode there should be some sort of verification before sensitive information and write capabilities are given. The fault is also on the user as they forgot or didn’t know to take their system out of test mode. With the pandemic a lot more people began working from home most likely resulting in an increase in companies utilizing cloud computing. Hopefully these companies educate their employees on how to properly use the system in order to minimize the risk of an attack.
This post left me wondering about the role that default security settings could have in breaches. If the databases were “left” in test mode, does that mean that a new database is automatically in that state? Perhaps the default security settings should be high. Then, if users want to make themselves (and each other) less secure, then they have to consciously change settings. This is Sunstein and Thaler’s concept of the “nudge.” It might be very useful for Internet security if it is not already in wide use.
This is an interesting post. I’m quite surprised by the fact that tons of companies were left exposed and are vulnerable to dangerous applications or malicious code. It makes me question the security and privacy of some companies since they stayed in test mode instead of exiting it.
After all these incidents, not only the companies, but we all should switch to cloud computing because we live in a world where technologies are exposed to so many dangers. I wonder how much loss the companies had to go through when all the files were stolen or hacked!
I assume that the companies suffered a huge loss, these can definitely prevent other companies to work with them, since they might feel unsafe.
That was a well-written post! I got to know before that that it gives access to data centers to many users and users can also access data from a remote server. I think many companies should start using it as cloud computing operates on a similar principle as web-based email clients, allowing users to access all of the features and files of the system without having to keep the bulk of that system on their own computers.Overall, that was a very interesting post to read.
Great post! Databases must be secured as it holds sensitive information. Its surprising to know how they were left exposed and how easy it is for malicious users to write to it once they gain unauthorized access to the database. I know very little about cloud computing but this intrigued me to delve deeper into this topic. Thanks!
This was a really informative post! It’s really scary that it was so easy to access private information from the URLs by just adding “/.json” to the end of them (to make it readable). Companies definitely should make sure that their databases are always secure and not leave them in “test mode”. Furthermore, companies should definitely make use of cloud computing more just to improve security and avoid any type of danger.
All in all, this was really interesting. Great job!
Interesting read! Cloud computing is widely used in many businesses however, the lack of ownership of the database can become a problem. While you can save a lot in server costs, people should beware of the security risks that come with it.
Ah storing in plaintext at least you never change, but seriously so many sites don’t encrypt their data and I don’t know why, I doubt if they encrypted the information in this case that a data breach could occur like this. Also wow I didn’t know that an attacker could write to a database if left in a test mode, I wonder if the cloud computing service could implement something to deter or increase security against this or if that is not possible? Very interesting topic about how attackers could read and or write to our databases.
Thanks for the informative post! Cloud computing has numerous advantages, including low-cost, loss-prevention, flexibility, collaboration and convenience. However, the risks can often be neglected when it’s so widely used and accessible. I remember an interesting incident related to this when an organization stored member information in a doc on cloud storage (OneDrive). The document was hacked and caused many of the members receiving scam calls and emails. I think it would be a good idea to educate users of these risks prior to handing them the tools.
Very interesting post. Cloud computing brings many risks as well as convenience. It’s hard to imagine cloud backup operators having high authority to manage the information you backup. Hope these companies can do a good job in the security of user information, if the information is invaded the company will bear several times more than the loss of users.
This is an interesting topic! Users will like the convenience of cloud storage service confirmation, but the hazards are tough to overlook. There was no monthly subscription for the cloud storage programme I used, but if you refused to subscribe to their service, it erased any data that over the storage limit. It’s difficult to know whether the files we put on the cloud are safe.
Interesting post! Have been using Firebase lately makes me feel more relatable with your post. It is indeed worrisome to especially beginner/new users since they are still in the process of getting familiar with the platform. I went through most of the tutorials and guides from Firebase for users but they barely said about how to protect databases and any security risks accompanied with the platform.
Cloud computing does seem quite amazing for someone like myself who had grown up with terrible, cheap computers that I would try my little heart out to get to run fast enough to play games on. It always seems like a recurring issue, new technology always seems to come with new security breaches.
Great Post!
Interesting to learn that over 2000 databases were compromised in Google Firebase, it is a good thing that people at Check Point Research discovered this risk and reported it to the company. You mention great tips to keeping safe, such as to not leave databases in test mode.