A recent investigation by cybersecurity researchers has revealed that OyeTalk, a voice-chat app with over five million downloads on the Google Play Store, left its database open to the public, exposing private data and conversations. The open Firebase instance exposed over 500MB of data, including unencrypted user chats, usernames, and International Mobile Equipment Identity (IMEI) numbers.
IMEI numbers are unique identifiers assigned to factory-built mobile phones and other devices with cellular connection capabilities. Hardcoded sensitive information, such as Google API keys and links to Google storage buckets, was found in the application’s client side, which can be easily accessed through reverse engineering.
The discovery of the OyeTalk data leak raises privacy concerns for voice-chat app users. If the leaked data had not been backed up, users’ private messages could have been lost permanently. Moreover, the leakage of IMEI numbers on every message sent constitutes a massive privacy intrusion, as it associates the message permanently with a specific device and its owner. Threat actors could exploit this information to impose ransom.
This incident highlights the importance of secure coding practices for mobile applications. Hardcoding sensitive data in the client side of an Android app is risky, as it has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems.
The app developers were informed of the data leak but failed to close public access to the database. However, Google’s security measures managed to close off the instance, notifying that the dataset was too large to download in one go.