Tap Busters: Bounty Hunters app: The research by Cybernews has detected that the Tap Busters: Bounty Hunters app had left its database open to the public, allegedly exposing users’ private conversations for at least five months.
Tap Busters: Bounty Hunters is an idle RPG game with over one million downloads on Google Play Store and a 4.5-star rating based on over 45,000 reviews. In the game, players take on the role of bounty hunters trying to become masters of the galaxy. They defeat villains and collect loot as they travel through different alien realms.
The app which has over a million downloads on Google Play Store with a 4.5-star rating left its database open to the public, allegedly leaking users’ private conversations for over five months, the report shared.
Sensitive information was also hardcoded into the client side of the gaming app, leaving it open to further leaks.
The leak was discovered to exist as a result of unsecured access to Google's Firebase mobile application development platform, which is used to host databases in the cloud. Anyone with unprotected access could jeopardise user security by accessing the database.
Sensitive data such as usernames, timestamps, and private messages were contained in the unprotected data.
The application's client-side code was also hardcoded with confidential information by the developers, leaving it open to reverse engineering assaults.
The report mentioned that Tap Busters: Bounty Hunters was one of the tens of thousands of apps on the Google Play Store that were found to be susceptible to data leaks.
Earlier this year, more than 33,000 Android apps were also found sensitive types of hardcoded secrets leaving sensitive user data exposed to malicious threat actors.
Tilting Point, the company behind a number of other popular games with sizable player bases, created the game. Over five million people have downloaded some of these games. Despite being made aware of the data leak, the software developer did not shut down database access for the general public.
However, the app's firebase instance contained so much data that threat actors couldn't get it all at once because of Google's data transferring regulations, thereby making the instance have a payload that was too big to be used.