Google Exposed Firebase Database

Slack Group

Before we get started I have started a slack group dedicated to hacking. We welcome everyone from beginner to advanced to join. I will be on everyday answer questions, doing CTFs, and talking about cool hacks. If you enjoy hacking and are looking for like minded people join below:

NEW Hacking Group Slack Channel

Introduction

Firebase is Google’s mobile platform that helps you quickly develop high-quality apps and grow your business. This post is going to focus on the Firebase Database that many mobile developers use in their applications. There is nothing special about Googles Firebase Database, it’s just like any other cloud based database.

Expose Firebase Database

An issue can arise in firebase when developers fail to enable authentication. This vulnerability is very similar to every other database misconfiguration, theres no authentication. Leaving a database exposed to the world unauthenticated is an open invite for malicious hackers.

It seems that Google is well aware of the problem. If you try to do a Google dork search for vulnerable endpoints you wont get any results. This is because the results are scrubbed by Google.

site:.firebaseio.com "COMPANY NAME HERE"

However, if you use Bing or any other search engine you will get plenty of results.

Nothing against Google, I just found it interesting how Google is trying to hide this vulnerability instead of getting to the root of the problem.

Exploiting this misconfiguration is extremely easy. Append “.json” to the end of a firebase url and if you are able to see their database they are vulnerable.

As you can see in the above image I was able to find an endpoint with a bunch of exposed passwords. Iv also been able to find endpoints with user messages, social security numbers, credit card details, and much more.

If your looking for a tool to automate this process I would suggest:

https://github.com/Turr0n/firebase

Conclusion

The vast majority of developers and hunters are unaware of the pitfalls that come with using firebase database. You can easily dump an entire database by simply visiting a URL. It is important to learn the misconfigurations is popular tech-stacks so you can find these easy wins and get paid.

4 thoughts on “Google Exposed Firebase Database”

  1. I am not sure the place you’re getting your info, but great topic. I needs to spend some time studying much more or understanding more. Thanks for excellent info I used to be on the lookout for this info for my mission.

  2. I happen to be writing to make you understand what a terrific experience my wife’s girl obtained reading yuor web blog. She figured out lots of issues, not to mention what it’s like to have a marvelous coaching nature to get many more clearly fully understand a variety of hard to do subject matter. You really exceeded visitors’ desires. I appreciate you for producing these precious, dependable, educational and unique tips on the topic to Mary.

  3. [url=http://finpecia911.com/]finpecia online india[/url] [url=http://malegra.us.org/]malegra 50 mg[/url] [url=http://clonidinenorx.com/]clonidine patch for hot flashes[/url]

  4. [url=http://estrace2.com/]estrace india[/url] [url=http://buspar24.com/]buy buspar online canada[/url] [url=http://elimitepermethrin.com/]elimite cream generic[/url] [url=http://silagratab.com/]buy silagra online[/url]

Comments are closed.