Android app with over 5 million downloads leaks user browsing history, security transactions

The Android app Web Explorer – Fast Internet left an open instance, exposing a wealth of sensitive data that malicious actors could use to examine a specific user’s browsing history.

The original post is at

Browsing Application Web Explorer for Android Devices The Cybernews research team discovered that Fast Internet opened its Firebase instance, exposing application and user data.

Firebase is a mobile app development platform that offers many features, including analytics, hosting, and real-time cloud storage.

browser Fast Internet is a browsing app with over 5 million downloads on the Google Play store. It boasts a 30% faster browsing speed and has an average user rating of 4.4 out of 5 stars based on more than 58,000 reviews.

De-anonymize users

According to the team, the open Firebase instances contained several days of redirection data, provided by user IDs. This includes the country, redirect from, redirect to, and user country.

“If threat actors can deanonymize users of an app, they will be able to examine a wealth of information about a particular user’s browsing history and use it for blackmail,” Cybernews researchers said.

However, getting the data for Web Explorer Exposure to fast internet is not enough by itself. Threat actors must also find out where app developers store additional user data. That said, cross-referencing the leaked data with other details could amplify any damage done to app users.

Key and ID

The team also discovered that the app hardcoded sensitive information on the client side of the app. Hardcoding sensitive information (often referred to as “secrets”) is considered a bad practice because threat actors can extract it for malicious use.

browser Fast Internet has a hardcoded firebase_database_url key that points to a database with an anonymous portion of the user’s browsing history, default_web_client_id, a unique public identifier assigned to applications using Firebase, and gcm_defaultSenderId, a key that enables cross-server communication.

“If threat actors can deanonymize users of an app, they will be able to examine a wealth of information about a particular user’s browsing history and use it for ransom.”network news researchers said.

The app also holds a google_api_key and google_api_id, both of which are used for authentication purposes. API keys and application IDs are used to identify authenticated Google applications to access Google API services.

Additionally, the team found that the google_crash_reporting_key and google_storage_bucket keys were hardcoded in the app. The first key is not too sensitive, but it can still be exploited by threat actors to affect the user experience. For example, they can make simulated requests, disrupting the application’s crash reporting and negatively impacting performance.

At the same time, hardcoding the google_storage_bucket_key into the application allows the threat actor to read and write any information on the private bucket in Google Cloud Services (GCS) if the bucket lacks authorization settings. Although the team did not check that the bucket was publicly accessible, it was still a case of misconfiguration that could have resulted in sensitive user details being further exposed.

Is it resolved now?

The team contacted Web Explorer, but… see

The original post is at

About the Author Vilius Petkauskas, Senior Reporter

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, Android Apps)

Leave a Reply

Your email address will not be published. Required fields are marked *