Menu

Blog

How I was able to find firebase database takeover vulnerability in a company

Introduction

This is my bug bounty write up about firebase database takeover vulnerability which I found in android app. There are just a few resources about android hacking. This article aims to briefly documents about one of the android vulnerability called firebase database takeover vulnerability. For this purpose I will share my finding about this vulnerability. I will blur some of the company information. Being said that , let’s get jump in.

Steps To Reproduce

1. Download application from google playstore.

2. Use apk extractor to extract apk.

3. I used bluestack emulator.

4. Use apktool to decompile the application.

5. Go to res/values/strings/xml

6.Look for firebase url

7.I wrote a python script to insert data

8.POC(Proof Of Concept)

Impact

This application doesn’t need any access _token to insert data to the firebase database. It is completely open and anybody can access it without any credentials.

Timeline

Vulnerability Reported – 15 October, 2020 3:37 AM.

Replied – 15 October, 2020 12:31 PM

Rewarded $100 for two reports – 21 October, 2020 11:21 AM.

Conclusion

I really appreciate the company for very fast reply when I was submitting the vulnerability and they replied me to disclose this vulnerability. I really enjoy finding bugs in their organization and thanks for agreeing to disclose this report and rewarding me a bounty.

References

https://medium.com/@danangtriatmaja/firebase-database-takover-b7929bbb62e1

6 comments on How I was able to find firebase database takeover vulnerability in a company

  1. sikis izle says:

    Im obliged for the blog article. Really looking forward to read more. Awesome. Delores Ewen Edithe

  2. sikis izle says:

    I have been examinating out a few of your posts and i can state nice stuff. I will surely bookmark your blog. Tedra Giulio Goddord

  3. erotik says:

    This is one awesome post. Much thanks again. Awesome. Gertruda Iorgo Killarney

  4. sikis izle says:

    I am impressed with this web site , rattling I am a fan . Tanhya Jeramie Spielman

  5. porno says:

    Very good blog article. Really looking forward to read more. Really Great. Rea Chaddy Aday

  6. sikis izle says:

    Thanks so much for the article post. Really thank you! Really Great. Adiana Morton Debbee

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top