An android app named Barcode to Sheet is exposing users to all manner of data theft due to an unchecked open instance. Such a security flaw is dangerous because of the fact that this is the sort of thing that could potentially end up giving malicious actors open access to sensitive information stored in the developer’s data centers.
One thing that bears mentioning is that this app has over 100,000 downloads on the Play Store, and it’s meant to function as a bar code scanner which has made it highly popular among ecommerce clients in particular. With all of that having been said and now out of the way, it is important to note that much of this data was available in plaintext , which includes email addresses, product information and reports. Passwords were encrypted, but the MD5 hash format that was used is notorious for being extremely easy to crack with minimal knowledge.
It's not just users that have been put in jeopardy, either. Access IDs and pass-keys for the developer have also been left up for grabs, which reveals the poor level of security used by creator of this app with all things having been considered and taken into account. Classified enterprise information may have ended up in the wrong hands, and since both the API key and app ID are both easily accessible, this could give malicious actors unrestricted access to the app through the backdoor.
Considering the massive quantity of data that has been stored in this database, personally identifiable information may start going up for sale on the Dark Web. Phishing attacks could also be facilitated due to how this much data would aid malicious actors with credential stuffing and the like, and it’s not just these individuals that might want to use the data for their own end.
The app developer’s own competitors would be more than happy to take a look at how things word under the hood, and they could use this proprietary knowledge to gain an edge. User preferences and stock information based on the bar codes that were scanned are all pieces of data that should be kept under lock and key, yet this app developer has basically given a free pass to anyone that might want to take a look at it.
Photo: DIW-AIgen
H/T: Cybernews
Read next: Apple Reminds Users To Opt For Advanced Data Protection That Keeps iCloud Data Secure
One thing that bears mentioning is that this app has over 100,000 downloads on the Play Store, and it’s meant to function as a bar code scanner which has made it highly popular among ecommerce clients in particular. With all of that having been said and now out of the way, it is important to note that much of this data was available in plaintext , which includes email addresses, product information and reports. Passwords were encrypted, but the MD5 hash format that was used is notorious for being extremely easy to crack with minimal knowledge.
It's not just users that have been put in jeopardy, either. Access IDs and pass-keys for the developer have also been left up for grabs, which reveals the poor level of security used by creator of this app with all things having been considered and taken into account. Classified enterprise information may have ended up in the wrong hands, and since both the API key and app ID are both easily accessible, this could give malicious actors unrestricted access to the app through the backdoor.
Considering the massive quantity of data that has been stored in this database, personally identifiable information may start going up for sale on the Dark Web. Phishing attacks could also be facilitated due to how this much data would aid malicious actors with credential stuffing and the like, and it’s not just these individuals that might want to use the data for their own end.
The app developer’s own competitors would be more than happy to take a look at how things word under the hood, and they could use this proprietary knowledge to gain an edge. User preferences and stock information based on the bar codes that were scanned are all pieces of data that should be kept under lock and key, yet this app developer has basically given a free pass to anyone that might want to take a look at it.
H/T: Cybernews
Read next: Apple Reminds Users To Opt For Advanced Data Protection That Keeps iCloud Data Secure
