Google Firestore Mis-configurations

Introduction

Firebase is a platform developed by Google for creating mobile and web applications. Firebase is a Backend-as-a-Services mainly for mobile application. It is focused on removing the charge of programming the back-end providing a nice SDK as well as many other interesting things that facilitates the interaction between the application and the back-end.

What are we going to cover?

This chapter covers the way to find the firebase URL's in an apk & common attacks that can occur on misconfigured google firestore which could lead to data breaches.

Steps to setup lab

Navigate to your ~/tools folder in your cloudhacker machine. You will see the FireVu.apk
Follow the steps to attack

Step to attack

There are two ways to find the firebase URL's, one is via doing manual extraction and the another method is using automated tools like FirebaseScanner.

Here basically we'll use Apktool to extract the APK.
- You can find your apktool in your tools folder.

Extraction of APK

We will use intentional vulnerable application to complete this exercise although any other application that can fetch firebase information would do. Therefore, some Firebase endpoints could be found in mobile applications. It is possible that the Firebase endpoint used is configured badly grating everyone privileges to read (and write) on it.

We will use the FireVu application for this demo.

If you want to extract the apk from the applications in android, use this Extractor App to do that.
Now, Decompile the APK using apktool, follow the below command to extract the source code from the APK.

apktool d FireVu.apk -o app

It extracts the files into the app folder.

Once decompiled, we can see files & folders, now Go to the res/values/strings.xml and look for this and search for firebase keyword.

Try to read the xml file & check if there are any firebase URL's. You may find something like this URL https://xyz.firebaseio.com/

cat res/values/strings.xml | grep "firebase"

Next, go to the browser and navigate to the found URL: https://xyz.firebaseio.com/.json . We have to add the .json to interact with realtime database. Which might have the READ/WRITE access.

Basically here you may encounter 2 type of responses:
Permission Denied This means that you cannot access it, so it's well configured
null response or a bunch of JSON data: This means that the database is public and you at least have read access.
- In this case, you could check for writing privileges, an exploit to test writing privileges. This can be done using a Firebase tool.

Checking read/write access

Since we have the endpoint https://firevu-db.firebaseio.com , we'll check the weather we have write access. We have seen that any unauthorized user can retirieve the data from the firevu-db.

Let's try to check the Write access. Poorly implemented security rule which causes the above data leak. Any parent/child node in the database is readable by anyone.

Rules from firebase security documentation

Identifying your user is only part of security. Once you know who they are, you need a way to control their access to data in your database. Realtime Database Security Rules allow you to control access for each user. For example, here's a set of security rules that allows anyone to read the path /foo/, but no one to write to it:

{
  "rules": {
    "foo": {
      ".read": true,
      ".write": false
    }
  }
}

Now, try to write the data from the users in the database. Check if we can delete the user1.

Since it dosen't have the write access we can't write the data to database.

Additional References

PreviousCloud Databases in Google Cloud NextAWS Identity and Access Management

Last updated 2 years ago