Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.
Therefore, some Firebase endpoints could be found in mobile applications. It is possible that the Firebase endpoint used is configured badly grating everyone privileges to read (and write) on it.
This is the common methodology to search and exploit poorly configured Firebase databases:
- Get the APK of app you can use any of the tool to get the APK from the device for this POC. You can use “APK Extractor” https://play.google.com/store/apps/details?id=com.ext.ui&hl=e
- Decompile the APK using apktool, follow the below command to extract the source code from the APK.
- Go to the res/values/strings.xml and look for this and search for “firebase” keyword
- You may find something like this URL “_**https://xyz.firebaseio.com/**_”
- Next, go to the browser and navigate to the found URL: https://xyz.firebaseio.com/.json
- 2 type of responses can appear:
- “Permission Denied”: This means that you cannot access it, so it's well configured
- “null” response or a bunch of JSON data: This means that the database is public and you at least have read access.
- In this case, you could check for writing privileges, an exploit to test writing privileges can be found here: https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit
Interesting note: When analysing a mobile application with MobSF, if it finds a firebase database it will check if this is publicly available and will notify it.