Security researchers have uncovered a massive data breach impacting over 125 million users. The breach was a result of a misconfigured Google Firebase on hundreds of websites, leading to the exposure of sensitive user data, including plaintext passwords.
The Genesis of the Breach: Chattr’s Firebase Misconfiguration
The breach traces back to Chattr, an AI hiring system serving numerous organizations in the US, including prominent fast food chains like Applebee’s, Chick-fil-A, KFC, Subway, Taco Bell, and Wendy’s. Three security researchers, known online as mrbruh, xyzeva, and logykk, discovered a vulnerability in Chattr’s Firebase implementation.
By exploiting this vulnerability, the researchers were able to register a new user and gain full privileges to the database. This gave them access to a trove of sensitive information, including names, phone numbers, email addresses, plaintext passwords for some accounts, and confidential messages.
Who Was Impacted?
The data breach affected a wide range of individuals, including employees, franchise managers, and job applicants.
Exploiting the System: The Admin Dashboard and ‘Ghost’ Mode
The researchers further escalated their access by creating a new administrative account. This gave them access to the admin dashboard, providing them with even more control over the system, including the ability to refund payments.
They also discovered an additional ‘ghost’ mode, which provided access to billing information, full control over user accounts, and the ability to hire people.
Chattr addressed the issue on January 10, a day after the researchers reported it.
The Larger Issue: Misconfigured Firebase Instances
Following the Chattr incident, the researchers embarked on a mission to identify other web applications that were exposing sensitive information due to misconfigured Firebase instances. Their investigation led them to 900 websites that were exposing the data of 125 million users.
The exposed databases contained over 80 million names, over 100 million email addresses, more than 33 million phone numbers, and over 20 million passwords. They also found more than 27 million billing info entries.
However, the researchers believe that the total number of exposed records could be much higher.
Affected Websites
Some of the affected websites include:
- Silid LMS, a learning management system, exposed data on 27 million users.
- Lead Carrot, a generator for cold calling, exposed 22 million users’ details.
- MyChefTool, a business management and PoS application for restaurants, exposed 14 million names and 13 million emails.
- An online gambling network of nine sites exposed roughly 8 million bank account details.
Contacting the Affected Websites
The researchers attempted to contact 842 websites. However, only 85% of their emails got through. A quarter of the sites addressed the misconfiguration, and 1% responded. Only two site owners offered a bug bounty.