An app that purports to help people stop consuming pornography has exposed highly sensitive data, including its users’ masturbation habits. Some of the data exposed includes the users’ age, how often they masturbate, and how viewing pornography makes them feel. According to the data, many of them are minors.
An example of the personal data of one user said they were “14,” that their “frequency” of porn consumption was “several times a week,” with a maximum of three times a day, and that their “triggers” were “boredom” and “Sexual Urges.” This user was given a “dependence score” and listed their “symptoms” as “Feeling unmotivated, lack of ambition to pursue goals, difficulty concentrating, poor memory or ‘brain fog.’”
We’re not naming the app because the developer has not fixed the issue, which was discovered by an independent security researcher who asked to remain anonymous. The researcher first flagged the issue to the creator of the app in September. The creator of the app said he would fix the issue quickly, but didn’t. The issue is a misconfiguration in the app’s usage of the mobile app development platform Google Firebase, which by default makes it easy for anyone to make themselves an “authenticated” user who can access the app’s backend storage where in many instances user data is stored.
Overall, the researcher said he could access the information of more than 600,000 users of the porn quitting app, 100,000 of which identified as minors.
The app also invites users to write confessions about their habits. One of these read: “I just can't do this man I honestly don't know what to do know more, such a loser, I need serious help.”
When reached for comment by phone, the creator of the app told me he had talked to the researcher but that the app never exposed any user data because of a misconfigured Google Firebase, and that the researcher could have faked the data I reviewed.
“There is no sensitive information exposed, that's just not true,” the founder told me. “These users are not in my database, so, like, I just don't give this guy attention. I just think it's a bit of a joke.”
When I asked the founder why he previously thanked the researcher for responsibly disclosing the misconfiguration and said he would rush to fix it, he wished me a good day and hung up.
After the call, I created an account on the app, which the researcher was able to see appear in the misconfigured Google Firebase, showing that user information is still exposed.
This Google Firebase misconfiguration issue has been known and discussed by security researchers for years, and is still common today.
Dan Guido, CEO of the cybersecurity research and consulting firm Trail of Bits, told me in an email that this Firebase misconfiguration issue is “a well known weakness” and easy to find. He recently noted on X that Trail of Bits was able to make a tool with Claude to scan for this vulnerability in just 30 minutes.
“If anyone is best positioned to implement guardrails at scale, it is Google/Firebase themselves. They can detect ‘open rules’ in a user's account and warn loudly, block production configs, or require explicit acknowledgement,” he said. “Amazon has done this successfully for S3.” S3 is a cloud storage product from AWS that in the past was frequently exposing sensitive data because of a similar misconfiguration issue.
The researcher who discovered the misconfiguration in the app, also said that the issue is the default setting in Google Firebase, but noted that Apple should review apps for these security issues before allowing them into the App Store.
“Apple will literally decline an app from the App Store if a button is two pixels too wide against their design guidelines, but they don't, and they don't check anything to do with the back end database security you can find online,” he said.
Apple and Google did not respond to a request for comment.
