Flipaclip, an animation creation app that is particularly popular with youngsters, has exposed the details of over 890,000 users.
A vulnerability in the frame-by-frame animation app, which is available for iOS and Android, was initially discovered this month by researcher "BobDaHacker" who responsibly reported it to FlipaClip's developers Visual Blasters.
The vulnerability allowed unauthorised parties to access information about the app's users from an exposed Google Firebase server.
Following BobDaHacker's disclosure to Visual Blasters of the vulnerability, a separate party exploited the security hole to extract data - sharing it with security journalist Ryan Fae.
According to Visual Blasters, it was not possible to access the most sensitive information related to FlipaClip's users such as their financial details and passwords, or users' animation projects.
However, names, dates of birth, email addresses, and countries of residence were breached and it is easy to imagine how a fraudster could exploit such information (for instance, in a phishing campaign) to trick FlipaClip animators into handing over their login credentials and other sensitive information.
Particularly vulnerable may be FlipaClip's users aged under 18, who in 2022 were reported to make up some 70% of the app's userbase.
Thankfully for a Flipaclip's monthly active user base of over 6 million people, there is no indication that the exposed user information has been shared publicly.
Josh Ward of Visual Blasters, FlipaClip's developer, told CyberInsider that the issued has now been "fully rectified."
According to a tweet by Ryan Fae, FlipaClip says it is enhancing its security measures and is seeking legal advice regarding notifying data regulators about the security incident.
Disappointingly, it does not appear that users have yet been notified by FlipaClip about the data breach, meaning that many are unlikely to be aware that a security issue occurred - even if the danger is not considered high.
Google Firebase is a backend cloud-based database service, commonly-used by websites and apps to store data. Unfortunately, there has been a long history of misconfigured Firebase setups leaving sensitive information exposed to the public internet.
Google has published security guidelines for developers, in an attempt to reduce the number of misconfigured Firebase databases exposing the data of mobile apps.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsDecember 24, 2024
December 19, 2024
November 14, 2024