Misconfigured Firebase DB on Android and Web Apps
Keep looking into the Android Hardcoded Strings and Website Response. Then it is very easy to exploit the Firebase Database in most cases.
Hello Folks, In this article I will explain how to check the misconfigured Firebase database on android.
What is Firebase?
The Firebase Realtime Database is a cloud-hosted NoSQL database that lets you store and sync data between your users in real time.
Most of the time developer or an Infrastructure Team forgot to implement the appropriate recommended configurations on the hosted environment, which might lead to misconfigurations, especially in the application store which is a database, which compromises the whole company and user data.
Which is the most favorite for hackers to get into the company applications 😂😂
Let's get back to today’s topic, which is Firebase DB Misconfigurations. According to the Stack-share around 2,600 companies and more than 3 million applications are using the firebase DB as their backend storage.
What if everything is publicly accessible ?? 🤔🤔
Yes, I found a similar type of misconfiguration in one of my findings.
In this article, I will explain the most common vulnerability in Firebase DB.
Let's get started !! 😉
I found a similar kind of bug in both the android and the web app during my hunting days.
Firstly, I will start with the android application.
While hunting on android, it is the common and most ever used practice in APK decompiling. This will give us most of the information w.r.t the application structure and also hardcoded credentials.
I decompiled the APK with apktool which is a popular command-line utility to dissect the android .apk to smali code, which is an assembly-level language.
Which looks like the folder structure below.
Do you know ?? Developers are too lazy to implement the appropriate configurations, and most of the time due to a lack of understanding or domain expertise, they are unable to write secure code. Here the Technical Architect will come into the picture, but I don’t know why still these kinds of mistakes still exist in modern applications 🤷♂️🤷♂️
I came across this kind of noob architect in my previous days.
Whatever:-
Once I decompiled the APK into smali chunks of code; I Started to look into all the files such as manifest.xml for permissions and etc.
Then I ended up searching for the hardcoded credentials.
Guys, I recommend you not to forget to search the sensitive information such as internal IPs, hardcoded details or AWS credentials, etc.. in the res folder of the android.
There are tons of tools available to make the tester work easy. You can use it to find this hardcoded information. But make sure you are following the manual approach.
Wooow !! I found some juicy information in strings.xml which contains AWS secret keys, Google APIS keys, and some internal IPs as well as the firebase endpoint URL as shown:-
Cheers 🥂🥂
Anyone who is a beginner can also find and report, But I’m a Pro Hacker.
And it doesn’t have more impact until and unless it can be exploitable.
Yes, true !!
You have to exploit or escalate the bug to the next level of severity or else companies won’t consider the hardcoded credential report.
Then, I remembered that most of the firebase DB can be accessible without the authentication and still you can modify it, but only if it was misconfigured.
Yahhhhh…………
After that, I tried opening the Firebase URL in the browser with /.json at the end of the URL, and when I hit the enter button..!!
OMG…..
Look what I found.
I got the whole database information from the browser.
It looks like this…..
Note: If you find any Firebase credentials during your Web App hunting, please try to open the URL with /.json.
If the information is readable, then Boom !!
Now, the Impact is critical.
Then immediately I started making the report.
Hahaha hahaha…………….That’s really cool…….
Happy Hacking 🥂🥂
Thanks for reading.
Please follow me for more writeups.
