Misconfigured Firebase Database Leaves Sensitive Information Vulnerable
The iOS application Sleep Journey: Insomnia Helper, designed to assist users with sleep issues, has inadvertently exposed the personal and health data of more than 25,000 individuals due to a misconfigured Firebase database. The exposed data includes names, email addresses, dates of birth, gender, sleep patterns, habits such as alcohol and nicotine consumption, pre-sleep activities, and medication usage.
“The app aims to help people with health and quality of life; however, due to security misconfigurations, it may inadvertently achieve the opposite, as the app leaks personal information, personally identifiable information, and health information that could be abused by threat actors,”
— Cybernews research team
The application is distributed by Fitsia Holdings Limited, a company registered in Cyprus. The misconfiguration not only exposed user data but also revealed several internal app secrets, including API keys and database URLs.
Potential Risks and Exploitation
The exposed data presents significant risks, as malicious actors could exploit this information for:
- Phishing attacks
- Spam campaigns
- Social engineering
- Credential stuffingCybernews+1arXiv+1arXiv+3arXiv+3arXiv+3
Furthermore, attackers could deploy automated data scrapers to continuously harvest new data from the unsecured database, exacerbating the potential damage.
Broader Implications
This incident underscores the critical importance of proper security configurations, especially for applications handling sensitive health-related information. Organizations must ensure that all databases and internal systems are securely configured to protect user data from unauthorized access.
