Pierluigi Paganini December 29, 2023
The Cybernews research team has discovered that the Clash Base Designer Easy Copy app exposed its Firebase database and user-sensitive information.
With 100,000 downloads on the Google Play store, the app enables Clash of Clans players to build a custom base layout and import it into the game. Users use these layouts to protect their trophies or loot from others during fights.
The app was developed by Rioat Apps, a name that might be mistaken for the globally renowned Riot Games studio, which created games such as “Fortnite” and “League of Legends.”
The exposed database puts Clash of Clans players at risk. While the data available in the open Firebase instance is not too sensitive, if a threat actor deleted the data, it would impact the app’s user experiences.
Furthermore, the database exposed six secrets hardcoded into the manifest that, combined with other potential vulnerabilities, could give threat actors backdoor access for malicious injections.
An exposed URL for a Google storage bucket is worrying as it is a link to the system’s storage, which can store practically anything from text files to databases, backups, images, videos, or other sensitive information.
The case is a stark example of the risks of using third-party apps. A variety of third-party apps assist with in-game tasks for Clash of Clans, which could potentially have the same or more severe vulnerabilities.
Cybernews contacted Rioat Apps but has yet to receive a response. The Firebase is still publicly accessible.
https://cybernews.com/security/clash-of-clans-third-party-app-leak/
About the author: Paulina Okunytė Journalist @ CyberNews
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Meduza Stealer)