Hey guys so this blog post is about Exploiting Insecure Firebase Databases, due to Improper set security rules one can write data to the database in certain conditions here’s a Short POC tutorial of the issue.
A few days ago i was doing static analysis of an Android app on a bug bounty target, as normally i decompiled my targeted APK file was looking around in the app when i saw a string in string > resources.arsc that was “firebase_database_url” : “https://TARGETED-DATABASE.firebaseio.com”.
And as many you of already know about an issue exists where if due to Human Error the security rules of the database are left on “true” for Both of the values, more like left in test mood for easy access [read/write]
Visit https://firebase.google.com/docs/database/security to learn more about security rules.
Then an attacker or a malicious user can have read & write control over the database.
ref: A Tweet by a Infosec Friend (https://twitter.com/Paresh_parmar1/status/1198181916173721600) & (https://twitter.com/ghostlulz1337/status/1199392860862341120)
After seeing these tweets and as it matches my target response. I got curious to learn about writing data to the targeted database as POC! as these tweets didn’t showed me a way to write just about it’s exposure. so i found these 3 Links.
But Non of the Blog or reports. answered a question in details about writing the data to the targeted database. so i started doing what these guys did in the reports. for example in report #684099 (this report and the blog are the same). The hacker wrote “In my POC I took the approach to make one Android application to insert a sample data to confirm the takeover.” and gave a code snippet in his report that was
Now for a guy like me who’s not to much into coding right now and was looking for an easy way out. i wasted like 1 hour to make a simple app to work but i always end up with one or more errors. (did learn a lot though)
So i skipped once it worked! but i was looking for even more easier way. thus comes report #736283 . In his report the hacker wrote “With the following code I was able to write to the database” and gave a code snippet that was.
Now at this point i had one option working but with many errors and mind totally diverted from that so i followed the next report. Here the hacker had used code snippet from firebase-php Firebase Admin SDK for PHP . But comes again my laziness it was hard to setup for my test system as i refreshed my mac a few hours before and still missing a lot of stuff . So with this code i messaged the reporter to help me out but as he couldn’t reply i did a brainstorming session with myself and googling each error i faced.
I get to use it as well on my test app that i created for all of this! (NOTE TO SELF: NEVER EVER MESS WITH PRODUCTION ENVIRONMENT OF OTHERs). Anyway i found this way to also be time taking and a little bit difficult for noobs like me. as of usage of composers and all these errors.
Now for this i went to read the official Documentation provided by Google about Firebase (Yeh i know i should have done it before but i’m kinda dumb). at first as i was working with an Android App i followed and read docs at https://firebase.google.com/docs/android/setup . But going through many pages, code snippets and making personal notes i found Firebase Database REST API to be the easiest way to exploit this issue.
It was as simple as sending a curl request. so just to add some more fun to this i made a simple 3 liner in python
Anyway it will work simple as this.
Moved to a Cleaner and Better looking Exploit with python. https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit
That’s all Guys!
#Note for Friends: “I’m a big believer in random capitalization. The rules of capitalization are so unfair to words in the middle.”