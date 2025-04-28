Application security, Privacy

Misconfiguration leaks Second Phone Number iOS app data

iPhone 13 Pro with apple logo loading and installing operating system ios 15.5 on the screen close up, new ios 2022 on apple devices sub v. ios 15 for updates

(Adobe Stock)

Almost four million users of the virtual phone number iOS app "Second Phone Number," most of whom are in the U.S., are at risk of having their information inadvertently exposed by an unsecured Firebase instance, which remains unsecured since its discovery in January, reports Cybernews. While initial identification of the misconfiguration revealed more than 700 SMS messages, including sender and recipient phone numbers and app user-established recipient names, such a breach could be significantly more extensive, with the database only being used as a temporary repository, according to Cybernews researchers. Further analysis also revealed the exposure of API keys, client IDs, Google App IDs, database URLs, reversed client IDs, project IDs, storage buckets, and GAD application identifiers, which could be leveraged to exploit API services. Such findings should prompt the implementation of appropriate Firebase security rules and the transfer of sensitive secrets to app servers. "Hardcoded secrets allow threat actors to enumerate infrastructure used by the app, if any authentication secrets are present, it may also allow threat actors to abuse the affected services in order to harvest user data or use the services for their own, unauthorized purposes," said Cybernews researcher Aras Nazarovas.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Related

Cycode ASPM platform enhancements unveiled

DevOps security firm Cycode has updated its application security posture management platform with agentic artificial intelligence and improvements to its CI/MON tool for improved code security, SiliconAngle reports.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BannerBasic AuthenticationBrowserChallenge-Handshake Authentication Protocol (CHAP)ClientCookieDLL InjectionDiscretionary Access Control (DAC)GeolocationInference Attack

You can skip this ad in 5 seconds