A bug bounty hunter’s casual journey through the Android ecosystem led to a $30,000 reward
More than $30,000 has been awarded for the discovery of a security issue that allowed attackers to send mass notifications to Android users.
The bug, which impacted mobile applications that were developed on Google’s Firebase platform, enabled attackers to send push notifications to all app users, regardless of whether they were subscribed or not.
Firebase is Google’s flagship mobile app development platform that includes messaging functions, database management, and cloud services.
In a technical blog post, security researcher Abhishek “Abss” Dharani explained how casual research and “fiddling” with Android applications led to the impressive payout.
Keys to success
Inspired by #AndroidHackingMonth, Dharani “rummaged” through Android testing blogs, utilizing a dataset of Android APKs made available through bug bounty platforms HackerOne and Bugcrowd.
After decompiling the APKs, Dharani investigated the gcp_keys.txt file containing Google Cloud Project (GCP) API keys.
While this usually stores keys with no impact (as GCP keys can be utilized for different APIs), Dharani looked into variable names to determine the privileges assigned to the keys.
Two variables – server_key and notification_server_key – related to the Firebase Cloud Messaging (FCM) service.
Products housed on Firebase can be synchronized to share information. If FCM is in use, this enables the sending and delivery of push notifications to iOS and Android devices.
Phishing heaven
Dharani focused on the Firebase server environment that deals with ‘send’ requests and push notifications, alongside a client FCM software development kit (SDK) that generates IID instance identification (IID) tokens for identifying app instances.
He subsequently discovered issues with FCM relating to Legacy Server Keys which could be abused to send requests via legacy HTTP, thereby circumventing security measures implemented in the HTTP v1 protocol, which requires a 0Auth 2.0 access token to send requests.
The scope of the issue could be massive, particularly when combined with the server-side ‘topics’ feature that’s used for subscribing app users to different notification categories.
READ MORE RCE vulnerability exposed in popular JavaScript serialization package
Dharani suggested that the vulnerability could be used most effectively in phishing campaigns, such as those related to the upcoming US Presidential Election or coronavirus.
“I see a definite intervention in the political landscape, [the] mass spread of false news, instant crippling of business reputation, and [a] credible amount of users [that] might even fall for a phishing scam via these notifications,” he said. “So, it’s a pretty huge deal.”
Renewed subscription
Originally, this approach would need either a client-side application or FCM admin SDK at the backend to subscribe a user to a particular topic.
However by abusing logical conditions and expressions, it was possible to force the FCM backend to broadcast malicious notifications to every user of a Firebase-based app.
At this stage, Dharani developed a proof-of-concept (PoC) and reported the issue to various bug bounty programs relating to Firebase projects and incorrectly validated keys.
He also teamed up with two other researchers, @streaak and @martinbydefault, who helped him find more vulnerable keys and identify the scope of the problem.
With the help of Gwendal Le Coguic, the team was able to find other vulnerable keys, including one belonging to food delivery giant Deliveroo, which awarded them $3,000.
Dharani had not intended to check Google applications, but together with Yash Sodha, a vulnerable key was also found in Google Hangouts, as well as the FCM server key of Google Play Music, exposed in the .smali code of the APK.
Read more of the latest bug bounty news
“We decided to download all the Google applications and test them for the same,” Dharani said. “After decompiling and running some scripts, we found a lot of such keys exposed in the client applications.”
Using Frida, it was also possible to snag Youtube Music and Youtube Go IID tokens, leading to the creation of further PoCs.
Speaking to The Daily Swig, Dharani said the security issues would not impact other Google services, unless they are housed by Firebase projects and on mobile platforms.
After submitting their findings to impacted organizations, $30,000 was awarded in total, alongside a Google Covid-19 vulnerability research grant.
Cleaning up
Developers involved in Firebase projects should check for the existence of potentially vulnerable keys.
A list can be found under Google Developer settings, and they can be regenerated or deleted – but deleting keys should be treated with caution.
A Google spokesperson told The Daily Swig that the issue was “specifically related to developers including API keys in their code for services that should not be included, which could then be exploited”, rather than the FCM service in itself being compromised.
“In cases where Google is able to identify that a server key is used, we attempt to alert the developers so they can fix their app,” the spokesperson added.