Security researchers have discovered a new vulnerability caught leaking vast swathes of personal information from legitimate mobile applications found on both Apple and Google marketplaces, with fears rising the compromised data could be used to fuel future cyberattacks.
Experts from Appthority, a security firm, found 43 terabytes-worth of exposed data and more than 1,000 applications while researching weak servers in March this year. However, in a unique twist, the applications did not contain malware and where not downloaded from a third-party source.
Instead, the data was leaked due to misconfigurations in back-end storage services used by mobile application developers. These popular platforms included Elasticsearch, MongoDB, CouchDB and MySQL.
The research's conclusion was simple: these leaks were happening on a massive, alarming, scale.
"HospitalGown is a vulnerability to data exposure caused not by any code in the app but by the app developers' failure to properly secure the back-end (hence its name) servers [...] where sensitive data is stored," explained Seth Hardy, security expert at Appthority, this week (31 May).
In other words, the apps perform exactly how they are supposed to – but the data still leaks.
In a subset focusing on 21,000 exposed 'Elasticsearch' severs, the researchers found 39 mobile apps had leaked 280 million user records – 163GB of data. Some software had "hundreds of thousands" of downloads. In a sample of enterprise apps, entire customer databases were vulnerable.
"Hundreds of apps are leaking terabytes of data, all due to simple human error – failure to secure the backend data stores," Hardy said. "The HospitalGown vulnerability isn't just theoretical."
He continued: "In all cases we've observed, this vulnerability has resulted from human error, not malicious intent. Our notification process responsibly disclosed information about the data exposure to app developers, and we worked with those that responded to close the vulnerabilities.
"In some cases, the issues were remediated immediately. Unfortunately, in others, we received no response and the data is still exposed." You can see the full report here.
There were a multitude of application categories wide-open to data theft the firm uncovered while conducting massive scans for exposed back-end servers. These included gaming, content management, news, dating, office productivity, education, travel and enterprise services.
One app, called "Pulse Workspace", was detailed in the full research report. Made by Pulse Secure LLC, the software was designed to provide corporate employees access to network and web application, but instead it was reportedly leaking sensitive information on a huge scale.
"To get a sense of the data exposure, we assessed the first few hundred records from each of approximately 100 indices exposed on the Pulse Secure Elasticsearch server. This data sample amounted to 35 MB out of 7.97 GB of exposed data," the report revealed.
Upon analysis, the exposed data included virtual private network (VPN) records and personal information relating to organisations including a US Federal Court, a US missile company, a CCTV surveillance company and "one of the largest" US telecommunications carriers.
Furthermore, this leaked data contained employee names, email addresses, phone numbers, passcode lengths, and much more. Appthority experts warned that if it ended up in the wrong hands it could easily be used for highly targeted spear-phishing cyberattacks - if not worse.
"The servers for most mobile applications are cloud based and accessible via the internet, this allows a bad actor to skip the long and potentially many-layered compromise stage of an attack, accessing company data directly from a database," the firm warned in its research report.