Firebase URL ‘leaked technical information on Babylon’s GP at Hand’
- 19 June 2020
A series of technical information exposing potential weaknesses in Babylon Health’s technology was freely available through a Firebase database mistakenly left open, a Digitial Health New investigation found.
The database was being used by Babylon’s developers to store software testing information for the company’s technology and primary care app, GP at Hand, revealing the success rate of different functions, according an examination of the code by independent expert Rob Dyke.
Information stored in the exposed database could be used to attack the technology as it reveals which parts of the code could be vulnerable, according to Dyke.
Firebase is a popular Google backend service used to send information between apps on devices and the vendors of those apps.
In early May, security researchers at Comparitech reported dataleaks due to misconfigured Firebases databases and urged all developers to check their configuration “urgently”.
They found a simple change to a Firebase URL could allow an attack to view and download the contents of vulnerable databases.
After being notified of the issues on 22 April, Google told Comparitech it notifies users of potential misconfigurations and provides advice to correct them.
But last week Babylon’s firebase URL was still open and freely available for anyone to view and access information about tests run on their systems. The company rectified the situation soon after being contacted by Digital Health.
“At the moment they have this wide open Firebase URL which is showing debug information from the apps and this leaks information about the number of times it’s run debug tests and the times that the tests have been successful and overall successful rate,” Dyke told Digital Health News.
“For example, we can see the test of ‘appointment details cancel appointment’ has run 159 times and has been successful 119 times, giving it a 75% success rate.
“So they have a dataset that is leaking the results of tests of their application which could be useful to attack the application because you can find out which bits of code could be vulnerable.
“I haven’t found anything that would make it obvious to me that there is patient data available on it, but that’s because I’m not a malicious actor and I don’t intend to do the obvious steps of digging into this.”
A spokesperson for Babylon told Digital Health the Firebase flaw was “minor” and that Google’s recommended configuration changes had been applied to resolve the issue.
“It would not have given a malicious user access to any sensitive information and it would have enabled minimal impact, if any at all,” they said.
The company assured the data available through the Firebase URL did not contain any personal information and only related to low-priority internal application testing.
It comes as Babylon Health admitted GP at Hand suffered a data breach after a user was able to access video recordings of other patients’ consultations.
The company confirmed that three patients were able to view recordings of other patient’s consultations, citing a software error as the cause of the issue.
The breach was reported to the Information Commissioners Office.
Testing the software
As part of a Digital Health News investigation into the security of a number of primary care apps and providers, tests were run on the Babylon app, used by its GP at Hand patients, using the Mobile Security Framework (MobSF) assessment tool to check the app against the Common Vulnerability Scoring System (CVSS).
CVSS is a globally recognised standard for testing software and scoring its weaknesses. Scores are provided out of 100, with points being deducted when software weaknesses are high and added when the software has strong protection against potential weaknesses.
Babylon Health’s app security score was 10/100, putting it in the “critical risk” category, according to the CVSS scoring.
A spokesperson for Babylon said the provider makes use of “multiple testing services, including security scanners, internal and external security, and penetration testing” adding that the “security of an application is not possible to establish by simply running it through a security scanner”.
Babylon’s code is obfuscated, Dyke said, making it difficult to breakdown all the risks. But several were highlighted by the CVSS test including: insecure random number generator; app logging sensitive information; clear text storage of sensitive information; broken hashing algorithms.
Dyke raised concerns about the use of hashing algorithms, MD5 and SHA1, which “have been considered broken for quite some time”.
SHA1 was deprecated by the National Institute of Standards and Technology.
A Babylon spokesperson said the company uses “much stronger” encryption standards, alongside weaker ones, to ensure user protection.
“Babylon needs to ensure compatibility for technologies still in use around the world and while our application uses SHA1 for the Google Play application signing certificate, we employ much stronger encryption standards to ensure that users’ personal and sensitive information is protected,” they said.
“Protecting user data is of the utmost importance for Babylon, and we use industry-standard encryption (AES 256) for the protection of data across our platform and infrastructure.”
They added the weak CVSS scores “do not compare with our own results”.
