Modern technology gives us many things.

Popular Android app was 'stealing' passwords and personal information

A popular scan for android had a serious vulnerability that allowed anyone to easily access a database full of sensitive personal information, as long as they knew where to look.

This according to the report of Cybernews about the flaw in the Barcode to Sheet application, which allows e-users limit to scan a barcode on an object and generate data in a format readable by different spreadsheet applications. It has more than 100.000 downloads on the Google Play Store and an average rating of 4,5/5, making it relatively popular and reliable.

Different use cases, all dangerous

The data generated with the scanner went into a Firebase database, which the researchers said was unprotected. It contained more than 360 MB of data, including information about products, reports, emails, user IDs and user passwords. Some of the information was stored in plain text, while passwords were stored in MD5 hash format. MD5 is almost deprecated as it is a broken hashing algorithm and can be cracked with basic programming knowledge.

But that's not all, as the database also contained sensitive application client-side data, with access keys and identifiers along with web client IDs, Google API keys, Google App ID, bug reporting keys and more.

«The leaked data is sensitive. Not only did it include the application secrets, stored on the client side of the application, but also information about and users, including user passwords,” the Cybernews team reported.

This means the data could be used in many different attacks, ranging from simple phishing attacks to identity theft, ransomware deployment, and more. Even the it can use the data to understand its business landscape, identify its strengths and weaknesses, and ultimately gain an unfair advantage.

“Competitors can use the data for intellectual property espionage. One way to do this would be to analyze user preferences and check what kind of products the company using the app has in stock,” the Cybernews team said.

The app developers are said to be working on a fix.

// Allow detecting when fb api is loaded.
function Deferred() {
var self = this;
this.promise = new Promise( function( resolve, reject ) {
self.reject = reject;
self.resolve = resolve;
window.fbLoaded = new Deferred();

window.fbAsyncInit = function () {
FB.init ({
appId : '[email protected]',
autoLogAppEvents : true,
xfbml : true,
version : 'v3.0'


(function (d, s, id) {
var js, fjs = d.getElementsByTagName (s) [0];
if (d.getElementById (id)) {return;}
js = d.createElement (s); = id;
js.src = “”;
fjs.parentNode.insertBefore (js, fjs);
}(document, 'script', 'facebook-jssdk'));


Follow on Google News