Father
Professional
- Messages
- 2,602
- Reaction score
- 852
- Points
- 113
Firebase is Google's mobile platform that helps you quickly develop high-quality apps and grow your business. This post will focus on the Firebase database that many mobile developers use in their applications.
There is nothing special about Google Firebase database, it is just like any other cloud database. The problem can arise in Firebase when developers do not enable authentication. This vulnerability is very similar to any other database misconfiguration when there is no authentication. By leaving the database open to the world, it becomes a tasty morsel for attackers.
Google is well aware of this issue. If you try to search Google for vulnerable endpoints, you won't get any results. However, Google is not the only search engine. If you use Bing or any other search engine, you will get a lot of results:
Alternatively, you can search for firebase URLs in the source code of the site page, in JS files, or in APK files.
It is extremely easy to exploit a misconfiguration. Add ".json" to the end of your Firebase url and if you see their database then it is vulnerable:
In the image below, I managed to find an endpoint with a bunch of open passwords. You can also find endpoints with user posts, social security numbers, credit card details, and more.
If you are looking for a tool to automate this process, you can try:
github.com
You can see examples of reports on this vulnerability on Hackerone here (https://hackerone.com/reports/684099), here (https://hackerone.com/reports/1065134) and here (https://hackerone.com/reports/736283). And this link (https://danangtriatmaja.medium.com/firebase-database-takover-b7929bbb62e1) is an example of how you can completely capture an open database.
There is nothing special about Google Firebase database, it is just like any other cloud database. The problem can arise in Firebase when developers do not enable authentication. This vulnerability is very similar to any other database misconfiguration when there is no authentication. By leaving the database open to the world, it becomes a tasty morsel for attackers.
Google is well aware of this issue. If you try to search Google for vulnerable endpoints, you won't get any results. However, Google is not the only search engine. If you use Bing or any other search engine, you will get a lot of results:
Code:
site: .firebaseio.com "company name here"Alternatively, you can search for firebase URLs in the source code of the site page, in JS files, or in APK files.
It is extremely easy to exploit a misconfiguration. Add ".json" to the end of your Firebase url and if you see their database then it is vulnerable:
Code:
https://example123.firebaseio.com/.jsonIn the image below, I managed to find an endpoint with a bunch of open passwords. You can also find endpoints with user posts, social security numbers, credit card details, and more.
If you are looking for a tool to automate this process, you can try:
GitHub - francesc-h/firebase: Exploiting misconfigured firebase databases
Exploiting misconfigured firebase databases. Contribute to francesc-h/firebase development by creating an account on GitHub.
github.com
You can see examples of reports on this vulnerability on Hackerone here (https://hackerone.com/reports/684099), here (https://hackerone.com/reports/1065134) and here (https://hackerone.com/reports/736283). And this link (https://danangtriatmaja.medium.com/firebase-database-takover-b7929bbb62e1) is an example of how you can completely capture an open database.
