[ BUG BOUNTY ] Firebase Database Takeover

بسم الله الرحمن الرحيم

This is simple PoC #CREDIT WRITEUP : Deeptiman Pattnaik

Steps to reproduce

1. Get the APK of app you can use any of the tool to get the APK from the device for this POC i have used “APK Extractor” https://play.google.com/store/apps/details?id=com.ext.ui&hl=e
2. Decompile the APK using apktool, follow the below command to extract the source code from the APK.
   https://ibotpeaches.github.io/Apktool/
3. Go to the res/values/strings.xml and look for this and search for “firebase” keyword
4. And you will find this URL “https://xyz.firebaseio.com/”
5. Next, go to the browser and paste this URL “https://xyz.firebaseio.com/.json”
6. You will observe “null” response will come, so it means the firebase database is public but in general, it should show “Permission Denied” based on the firebase database rule. https://firebase.google.com/docs/rules

Security Impact

As it’s public now it’s very simple for the attacker to perform queries into the database. In my POC I took the approach to make one Android application to insert a sample data to confirm the takeover.

Android Code Snippet

public class SampleFirebaseActivity extends AppCompatActivity {
    [@Override](/override)
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_sample_firebase);
        Firebase.setAndroidContext(this);
        Firebase.getDefaultConfig().setPersistenceEnabled(true);
        Firebase firebase = new Firebase("https://████████/");
        firebase.child("test").setValue("Firebase Database take over by 1337");
    }
}

The above application doesn’t need any acces_token to insert data to the firebase database it’s completely open and anybody can access it without any access credentials.

So in order to avoid this type of vulnerability, it’s always better to make the rules of the database to private.

it’s very simple to understand that, the criticality of an open database with large storage space. It allows an attacker to store highly sensitive compromised data in the Firebase database anonymously.

An attacker can store many different forms of data in this Firebase database such as -: malicious links, stolen credit card details, user’s stolen email’s password or some organization’s financial information.

Most importantly Firebase allows to store hyperlink in the database, so it’s an open advantage for the attacker to design an application to fool the end-user to click on the suspicious links unknowingly. Whereas there is no way of accusing the anonymous attackers of owning the data being stored in the Firebase database because the complete proprietary owner of the database belongs to Twitter. It will cause severe damage to Twitter’s public reputation and may follow a lawsuit from the federal authority for allowing or giving open access to any anonymous attackers store records illegally.

Recent Attacks

There are some recent attacks occurred for Firebase database misconfiguration and allowing any user to access companies records publicly. I will advise you to please follow the below links, perhaps may not have the plan to store records in this Firebase database but it will help you to be aware of the sensitivity of misconfiguring the Firebase database.

1. https://www.xda-developers.com/user-data-leak-misconfigured-firebase-backends/
2. https://medium.com/@fs0c131y/how-i-found-the-database-of-the-donald-daters-app-af88b06e39ad
3. https://blog.netspi.com/when-databases-attack-entry-points/

A blog regarding storing stolen records in your database

1. https://www.foregenix.com/blog/magento-websites-stolen-credit-card-data-stored-in-your-database

Resolve Insecurities

There are guidelines available by Firebase to resolve the insecurities and misconfiguration, please follow this link

1. https://firebase.google.com/docs/database/security/resolve-insecurities

Firebase GDPR Ready

Firebase is strongly GDPR compliant model and some key questions have been categorized by Firebase to protect user’s privacy and the responsibility of a data protection officer to control the data of an organization.

1. How does your organization ensure user transparency and control around data use?
2. Are you sure that your organization has the right consents in a place where these are needed under the GDPR?
3. Does your organization have the right systems to record user preferences and consents?
4. How will you show regulators and partners that you meet the principles of the GDPR and are an accountable organization?

I will highly recommend following the below guidelines available for Firebase GDPR ready.

1. https://firebase.google.com/support/privacy
2. https://www.termsfeed.com/blog/gdpr-firebase-dpo/
3. https://firebase.google.com/terms/data-processing-terms

And one more thing I’d like to point out that this Firebase database link is found in the production Android app, so it’s a live database and it needs to be configured securely. And as always it’s a best practice to secure companies property properly.