A popular Android barcode scanner app has some worrying cybersecurity flaws
Everything users scanned went to an open database
A popular barcode-scanning app for Android carried a severe vulnerability that allowed anyone easy access to a database full of sensitive data, as long as they knew where to look.
This is according to Cybernews report on the flaw in the Barcode to Sheet app, which allows ecommerce users to scan a barcode on an item and generate data in a format readable by different spreadsheet apps.
It has more than 100,000 downloads on the Google Play Store, and an average rating of 4.5/5, making it relatively popular and trusted.
Different use cases, all dangerous
The data generated with the scanner went to a Firebase database which, the researchers said, was unprotected. It contained more than 360MB of data, including information about products, reports, emails, user IDs, and user passwords. Some of the information was stored in plaintext, while passwords were stored in the MD5 hash format. MD5 is all but deprecated, as it’s a broken hash algorithm and can be unlocked with basic programming knowledge.
But that’s not all, as the database also contained sensitive data on the application’s client side, with access keys and IDs alongside web client IDs, Google API keys, Google app ID, crash reporting keys, and more.
“The leaked data is sensitive. Not only did it include the application’s secrets, stored on the client side of the app, but enterprise and user information as well, including users’ passwords,” the Cybernews team said.
This means the data could be used in a number of different attacks, ranging from simple phishing attacks to identity theft, ransomware deployment, and more. Even the competition can use the data to understand their business landscape, identify their strength and weaknesses, and ultimately gain an unfair advantage.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“Competitors can use the data for intellectual property espionage. One way to do that would be analyzing user preferences and checking what type of goods the company that was using the app has in stock,” the Cybernews team said.
The app’s developers are said to be working on a solution, and TechRadar Pro has contacted them for comment.
More from TechRadar Pro
- Thousands of mobile app cloud databases have been left exposed online
- Here's a list of the best firewalls today
- These are the best endpoint protection software right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.