Background

In mid-2018, Appthority released a report detailing a vulnerability in Google's firebase.io, a database backend used by thousands of mobile apps.

Details

Potentially sensitive data is available via accessing URLs of the form https://<APPNAME>.firebaseio.com/.json. By so doing, you can gain access to all unprotected data in that particular database. If your organization develops and/or deploys mobile apps, you should check to see whether they are using FireBase, and if so, whether any data is being exposed.

One quick way to do this:

wget https://appname.firebaseio.com/.json;cat .json |python -m json.tool

The above command will grab the contents from the appropriate URL, and pretty-print it using Python’s json.tool module.

You can also quickly check to see whether the data exists thusly:

curl -sL -w "%{http_code} %{url_effective}\\n" "https://appname.firebaseio.com/.json" -o /dev/null

This will return the HTTP response code followed by the URL. 200 indicates the data is present, and 404 tells you there’s nothing there.

comments powered by Disqus