This post is also available in:
עברית (Hebrew)
A mobile game on Apple’s App Store has left hundreds of thousands of users exposed to serious privacy risks, after researchers discovered that the app was leaking sensitive information through a misconfigured cloud database.
The game, Cats Tower: The Cat Game!, developed by Rhino Games but linked to Armenian developer Next Epic LLC, was found to be exposing user data through a vulnerable Firebase backend. Researchers at Cybernews revealed that the database was publicly accessible, revealing usernames, IP addresses, and even Facebook access tokens for over 450,000 players.
The exposed IP addresses, can provide attackers with location estimates when combined with other data. Far more concerning is the leakage of Facebook access tokens, which could enable attackers to take over user accounts, post scam content, or send phishing messages under the user’s identity.
The Firebase misconfiguration also exposed a range of developer credentials known as “hardcoded secrets.” These included API keys, client IDs, and database URLs—critical elements that should never be visible in public-facing code. These types of leaks can enable threat actors to reverse-engineer the app’s backend, impersonate legitimate requests, and potentially weaponize the infrastructure for spam or broader data collection.
In addition to the leaked user data, the app’s code reportedly included nine types of sensitive credentials—placing it among the most carelessly secured apps found in a broader analysis of iOS software.
Cybernews, which reviewed over 156,000 iOS apps, reported that more than 70% leaked at least one secret, with an average of over five per app. While Cats Tower is a particularly egregious example, it’s not alone. The same investigation uncovered location leaks from family-tracking apps and private image exposures from dating platforms.
The case underscores a larger issue in mobile app security—namely, that even popular iOS applications are frequently shipped with critical vulnerabilities that can be exploited at scale, creating an urgent need for stricter app development standards and security audits.
