Misconfiguration leaks Second Phone Number iOS app data

Almost four million users of the virtual phone number iOS app "Second Phone Number," most of whom are in the U.S., are at risk of having their information inadvertently exposed by an unsecured Firebase instance, which remains unsecured since its discovery in January, reports Cybernews. While initial identification of the misconfiguration revealed more than 700 SMS messages, including sender and recipient phone numbers and app user-established recipient names, such a breach could be significantly more extensive, with the database only being used as a temporary repository, according to Cybernews researchers. Further analysis also revealed the exposure of API keys, client IDs, Google App IDs, database URLs, reversed client IDs, project IDs, storage buckets, and GAD application identifiers, which could be leveraged to exploit API services. Such findings should prompt the implementation of appropriate Firebase security rules and the transfer of sensitive secrets to app servers. "Hardcoded secrets allow threat actors to enumerate infrastructure used by the app, if any authentication secrets are present, it may also allow threat actors to abuse the affected services in order to harvest user data or use the services for their own, unauthorized purposes," said Cybernews researcher Aras Nazarovas.