Exploiting Insecure Firebase Database!

Hey guys so this blog post is about Exploiting Insecure Firebase Databases, due to Improper set security rules one can write data to the database in certain conditions here’s a Short POC tutorial of the issue.

A few days ago i was doing static analysis of an Android app on a bug bounty target, as normally i decompiled my targeted APK file was looking around in the app when i saw a string in string > resources.arsc that was “firebase_database_url” : “https://TARGETED-DATABASE.firebaseio.com”.

And as many you of already know about an issue exists where if due to Human Error the security rules of the database are left on “true” for Both of the values, more like left in test mood for easy access [read/write]

{
“.read”: true,
“.write”: true
}

Visit https://firebase.google.com/docs/database/security to learn more about security rules.

Then an attacker or a malicious user can have read & write control over the database.

ref: A Tweet by a Infosec Friend (https://twitter.com/Paresh_parmar1/status/1198181916173721600) & (https://twitter.com/ghostlulz1337/status/1199392860862341120)

 

After seeing these tweets and as it matches my target response. I got curious to learn about writing data to the targeted database as POC! as these tweets didn’t showed me a way to write just about it’s exposure. so i found these 3 Links.

  1. https://hackerone.com/reports/684099
  2. https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1
  3. https://hackerone.com/reports/736283

But Non of the Blog or reports. answered a question in details about writing the data to the targeted database. so i started doing what these guys did in the reports. for example in report #684099 (this report and the blog are the same). The hacker wrote “In my POC I took the approach to make one Android application to insert a sample data to confirm the takeover.” and gave a code snippet in his report that was

Now for a guy like me who’s not to much into coding right now and was looking for an easy way out. i wasted like 1 hour to make a simple app to work but i always end up with one or more errors. (did learn a lot though)

So i skipped once it worked! but i was looking for even more easier way. thus comes report #736283 . In his report the hacker wrote “With the following code I was able to write to the database” and gave a code snippet that was.

Now at this point i had one option working but with many errors and mind totally diverted from that so i followed the next report. Here the hacker had used code snippet from firebase-php Firebase Admin SDK for PHPBut comes again my laziness it was hard to setup for my test system as i refreshed my mac a few hours before and still missing a lot of stuff . So with this code i messaged the reporter to help me out but as he couldn’t reply i did a brainstorming session with myself and googling each error i faced.

You should totally follow me on Instagram @khiizzer

I get to use it as well on my test app that i created for all of this! (NOTE TO SELF: NEVER EVER MESS WITH PRODUCTION ENVIRONMENT OF OTHERs). Anyway i found this way to also be time taking and a little bit difficult for noobs like me. as of usage of composers and all these errors.

#Easy Exploitation: 

Now for this i went to read the official Documentation provided by Google about Firebase (Yeh i know i should have done it before but i’m kinda dumb). at first as i was working with an Android App i followed and read docs at https://firebase.google.com/docs/android/setup . But going through many pages, code snippets and making personal notes i found Firebase Database REST API to be the easiest way to exploit this issue.

It was as simple as sending a curl request. so just to add some more fun to this i made a simple 3 liner in python

Yeh a lot of useless extra spaces! just to make it look extra 1337.

Anyway it will work simple as this.

 

#POC:

  1. Decompile an app android or ios or you can also find these sometimes in web apps keep an eye out.
  2. copy the database URL and visit it like https://khizer-test.firebaseio.com/.json
  3. If the site gives you a null or a response full of JSON data, than the read permission is enabled. you just gotta test it for write permission
  4. for that u can you can of the methods above. for the simple exploit just edit the data in line 7 & firebase database name in line 9.
  5. run it and check your Insecure/vulnerable firebase databases for the entry!
  6. https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit Friends can download it from here and modify it for fun

 

Update:

Moved to a Cleaner and Better looking Exploit with python. https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit

#Enjoy!

That’s all Guys!

 

#Takeways:

  • Always look for easy ways out but do go through the learning process connected to harder paths and paths you get confused on.
  • Always google & ask questions
  • Write just for fun

#Note for Friends: “I’m a big believer in random capitalization. The rules of capitalization are so unfair to words in the middle.” John Green, Paper Towns That’s why you guys see so much capitalization in my blogs so kindly ignore and move on.

 

 

 

 

 

About the Author

Muhammad Khizer Javed

Cyber Security Researcher,  Bug Bounty Hunter & Freelance Pentester.

6 thoughts on “Exploiting Insecure Firebase Database!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: