Wired points out, this kind of data leaking doesn't have to be intentional by any means. All it takes is to cut a couple of corners in the configuration process and server routing, and all kinds of personal data is exposed for the taking. This is exactly how these apps have done it. Rather than putting in the effort to set up their own servers through which to route sensitive data, they are making use of the public Amazon Web Services, Google Cloud, and Microsoft Azure back-end services.As
The disturbing part is that it's more than just basic advertising-related information that is at stake. Zimperium has discovered that users' personal information, passwords, and medical information, as well as financial and payment info (depending on the app services) are also being leaked and visible to anyone who is interested. The dangers of that kind of information falling into the wrong hands are tremendous, and according to Zimperium's CEO, the nearly 20,000 poorly configured apps are leaving the doors wide open to just that. What's worse, some are allowing sensitive data to be overwritten remotely, increasing the risk of fraud.
Zimperium has informed many of the faulty apps' developers about the issue, but says there was little to no reaction. Unfortunately, it is not known if these misconfigurations (which include banking apps) have been exploited yet, and Zimperium is not naming any names on the grounds that that it's not practically possible for them to contact tens of thousands of developers about the problems.