How to Exploit Public Firebase Realtime Database using REST API

What is Firebase - Realtime Database?

As per Google, Firebase is a cloud host database to store and sync data between the users in real-time, this might be data chat, user logs, application logs, and etc.

Why does misconfiguration occur in Firebase Database? Why Firebase Database can be accessed and modified by public users?

By default, the database settings “write” and “read” are set to false which means is protected and the public users cannot access and modify the data. But, when the developer/owner tests the functional database and set the value “read” and “write” to “true. It causes the public users without authentication can read and write the content of the database.

Read and Write rules Firebase set to true

For best practice how to secure the Firebase you can refer to this https://firebase.google.com/docs/database/security

How do we know the application use firebase?

Before we can exploit the firebase, we need to know how we can discover the firebase database. Firebase is used on Web, Android, iOS, the firebase URL it is looks like https://abc.firebaseio.com/, where abc is the name of the real-time database.

• Web Application: We can search the keyword “firebaseio”, sometimes the URL will be found in the Javascript file.
• Android or iOS application: You can use the MobSF to scan the apk / ipa file, if the application used firebase the MobSF will return the Firebase URL in the scan output. Or you can decompile the apk file using apktools/other decompiler and go to res > values > strings.xml to find the firebase URL with the keyword “firebaseio”.

MobSF Report

In strings.xml file

How to exploit the Firebase Database?

Simple to check the permission, after get the firebase URL example https://abc.firebaseio.com , we have to append .json in the URL. So the final URL will become https://abc.firebaseio.com/.json , paste URL in the browser. If we get response “null” or database content it means the rules (https://firebase.google.com/docs/rules) read firebase database has set to “true” (Public), if we get response “Permission denied” this means that the database is configured properly.

Read rules are set to “true”

Read rules are set to “false”

If we want to save data without creating an android application, we can use REST API refer to https://firebase.google.com/docs/database/rest/save-data, this you can simply add, update, and remove data on Firebase Database.

POST to save data.

PUT to modify data.

DELETE to remove data

How to secure the Firebase Database?

• Authentication: Implement proper authentication to prevent unauthorized access. Set to only authenticated users that are allowed to read/write data into the database.
• Authorization: Proper read and write access must be configured based on the uid / user roles on all database. Check the https://firebase.google.com/docs/database/security to get how to configure properly.
• Data Validation: Make sure the database has validation rules to prevent junk data before writing the data in the database.

Recent Attack

There are some recent attacks that occurred for Misconfigured Firebase database and allowing any user to access the company’s records publicly.

• https://www.xda-developers.com/user-data-leak-misconfigured-firebase-backends/
• https://medium.com/@fs0c131y/how-i-found-the-database-of-the-donald-daters-app-af88b06e39ad
• https://blog.netspi.com/when-databases-attack-entry-points/

Reference

• https://www.paladion.net/blogs/misconfigured-firebase-a-real-time-cyber-threat
• https://firebase.google.com/docs/database/security/
• https://firebase.google.com/docs/database/rest/start