Experts say a popular Android browser app with more than five million downloads on the Google Play Store may have leaked user data, including browser history.
Cybernews (opens in a new tab) reports that it discovered that the "Web Explorer - Fast Internet" app had left open its instance of Firebase, a mobile app development platform designed for easy analytics, hosting, and cloud storage. .
At risk, five days of redirect data, including country, direct start address, redirect destination address, and user country, all presented by user ID.
Android web browser data leak
Cybernews Senior Reporter Vilius Petkauskas explains that getting your hands on this data alone may not be enough to give threat actors what they're looking for, but crossing it with additional details could prove damaging.
The app was also found to be hard-coded on the client-side, including keys related to the user's anonymous partial browsing history, unique public identifiers, and an inter-server communication enabler.
"If threat actors could anonymize app users, they could check a bunch of information about a specific user's browsing history and use it to extort money," CyberNews noted.
It has since been discovered that the open instance of Firebase has been shut down and is no longer accessible, meaning hackers can no longer access sensitive data. It's not all good news, though: Cybernews has reached out to the app's team about its findings, but has yet to hear back.
Further investigations also reveal that the app was last updated in October 2020, which means that the hardcoded "secrets" are probably still there. The researchers write: "...we can only guess what other information might be leaking through the app's secrets."