Android barcode scanner app exposes user passwords

Android barcode scanner app exposes user passwords

Pierluigi Paganini
December 08, 2023

An Android app with over 100k Google Play downloads and a 4.5-star average rating has let an open instance go unchecked, leaving sensitive user data up for grabs.

The Cybernews team discovered the Android app Barcode to Sheet leaking sensitive user information and enterprise data stored by app creators.

Barcode to Sheet has over 100k downloads on the Google Play store and focuses on e-commerce clients. The app works as a barcode scanner that allows users to transfer data from barcodes to various formats recognizable by spreadsheet apps.

The team found that the app developers left their Firebase database, containing over 368MB of data, open for anybody to access it. Firebase is a real-time data storage service for any application, often used to store data that apps collect.

“Leaked data is sensitive”

Some of the enterprise data in the open server was stored in plaintext. According to the team, information about products, reports, emails, and user IDs was stored that way. Meanwhile, user passwords were stored in the MD5 hash format.

While MD5 hashes the text it’s supposed to protect, the format suffers from multiple vulnerabilities and does not require sophisticated programming knowledge to unlock.

The open server also stored likely sensitive information on the application’s client side with access keys and IDs. Details left accessible included web client ID, Google application programming interface (API) key, Google app ID, crash reporting key, and other information typically only meant for developers of the app.

For example, unauthorized access to the web client ID, a unique public identifier dispatched for an application using Firebase, allows threat actors to carry out phishing attacks with fewer constraints. Meanwhile, access to the Google API key, when coupled with Google app ID, grants full access to the service and the data being dispatched by that specific service.

“The leaked data is sensitive. Not only did it include the application’s secrets, stored on the client side of the app, but enterprise and user information as well, including users’ passwords,” the Cybernews team said.

Dark web dangers

The open database had a considerable amount of data for an app with less than half a million users. If threat actors get their hands on such a dataset, it often ends up on the dark web.

Criminals use consumers’ leaked personally identifiable information (PII) for financial gain and identity theft. For example, credit card and social security numbers can be purchased for under $20.

Threat actors could use open data to harm victims with phishing and credential stuffing as phishers often automate attacks using large datasets. Sometimes, it might take just a single victim out of thousands to make the attack worthwhile.

For more info on how competitors could use the data left exposed by Barcode to Sheet take a look at the original post on CyberNews:

About the author: Vilius Petkauskas, Deputy Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)