How I was able to find firebase database takeover vulnerability in a company
Introduction
This is my bug bounty write up about firebase database takeover vulnerability which I found in android app. There are just a few resources about android hacking. This article aims to briefly documents about one of the android vulnerability called firebase database takeover vulnerability. For this purpose I will share my finding about this vulnerability. I will blur some of the company information. Being said that , let’s get jump in.
Steps To Reproduce
1. Download application from google playstore.
2. Use apk extractor to extract apk.
3. I used bluestack emulator.
4. Use apktool to decompile the application.

5. Go to res/values/strings/xml
6.Look for firebase url

7.I wrote a python script to insert data

8.POC(Proof Of Concept)

Impact
This application doesn’t need any access _token to insert data to the firebase database. It is completely open and anybody can access it without any credentials.
Timeline
Vulnerability Reported – 15 October, 2020 3:37 AM.
Replied – 15 October, 2020 12:31 PM
Rewarded $100 for two reports – 21 October, 2020 11:21 AM.
Conclusion
I really appreciate the company for very fast reply when I was submitting the vulnerability and they replied me to disclose this vulnerability. I really enjoy finding bugs in their organization and thanks for agreeing to disclose this report and rewarding me a bounty.
References
https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1
Im obliged for the blog article. Really looking forward to read more. Awesome. Delores Ewen Edithe
I have been examinating out a few of your posts and i can state nice stuff. I will surely bookmark your blog. Tedra Giulio Goddord
This is one awesome post. Much thanks again. Awesome. Gertruda Iorgo Killarney
I am impressed with this web site , rattling I am a fan . Tanhya Jeramie Spielman
Very good blog article. Really looking forward to read more. Really Great. Rea Chaddy Aday
Thanks so much for the article post. Really thank you! Really Great. Adiana Morton Debbee