A popular Android barcode scanner app has some worrying cybersecurity flaws

Everything users scanned went to an open database

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A popular barcode-scanning app for Android carried a severe vulnerability that allowed anyone easy access to a database full of sensitive data, as long as they knew where to look.

This is according to Cybernewsreporton the flaw in the Barcode to Sheet app, which allowsecommerceusers to scan a barcode on an item and generate data in a format readable by different spreadsheet apps.

It has more than 100,000 downloads on theGoogle Play Store, and an average rating of 4.5/5, making it relatively popular and trusted.

Different use cases, all dangerous

The data generated with the scanner went to a Firebase database which, the researchers said, was unprotected. It contained more than 360MB of data, including information about products, reports, emails, user IDs, and user passwords. Some of the information was stored in plaintext, while passwords were stored in the MD5 hash format. MD5 is all but deprecated, as it’s a broken hash algorithm and can be unlocked with basic programming knowledge.

But that’s not all, as the database also contained sensitive data on the application’s client side, with access keys and IDs alongside web client IDs, Google API keys, Google app ID, crash reporting keys, and more.

“The leaked data is sensitive. Not only did it include the application’s secrets, stored on the client side of the app, but enterprise and user information as well, including users’ passwords,” the Cybernews team said.

This means the data could be used in a number of different attacks, ranging from simple phishing attacks toidentity theft, ransomware deployment, and more. Even the competition can use the data to understand their business landscape, identify their strength and weaknesses, and ultimately gain an unfair advantage.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Competitors can use the data for intellectual property espionage. One way to do that would be analyzing user preferences and checking what type of goods the company that was using the app has in stock,” the Cybernews team said.

The app’s developers are said to be working on a solution, and TechRadar Pro has contacted them for comment.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

England vs Australia live stream: how to watch 2024 rugby union Autumn International online from anywhere