Android Question Google Firebase messaging vulnerability allowed attackers to send push notifications to app users

Alex_197

Active Member
Licensed User
More than $30,000 has been awarded for the discovery of a security issue that allowed attackers to send mass notifications to Android users.

The bug, which impacted mobile applications that were developed on Google’s Firebase platform, enabled attackers to send push notifications to all app users, regardless of whether they were subscribed or not.

Firebase is Google’s flagship mobile app development platform that includes messaging functions, database management, and cloud services.

In a technical blog post, security researcher Abhishek “Abss” Dharani explained how casual research and “fiddling” with Android applications led to the impressive payout.

https://portswigger.net/daily-swig/...ckers-to-send-push-notifications-to-app-users
 

Alex_197

Active Member
Licensed User
Even if they got warned some developer includes the server key into their apps.
This key is extracted here to send Messages.

Solution:
Do not use the technique in your B4A App. Use a B4J Server app to send the Message(s).
I'm going to send messages from my web site so I can't use B4J. But I put a key into web.config file of my ASP.NET web site.
 

Alexander Stolte

Expert
Licensed User
Use a B4J Server app to send the Message(s).
50 cent:
B4X:
'
Private Sub SendMessage(Topic As String, Title As String, Body As String)
    Dim Job As HttpJob
    Job.Initialize("fcm", Me)
    Dim m As Map = CreateMap("to": $"/topics/${Topic}"$)
    Dim data As Map = CreateMap("title": Title, "body": Body)
    If Topic.StartsWith("ios_") Then
        Dim iosalert As Map =  CreateMap("title": Title, "body": Body, "sound": "default")
        m.Put("notification", iosalert)
        m.Put("priority", 10)
    End If
    m.Put("data", data)
    Dim jg As JSONGenerator
    jg.Initialize(m)
    Job.PostString("https://fcm.googleapis.com/fcm/send", jg.ToString)
    Job.GetRequest.SetContentType("application/json;charset=UTF-8")
    Job.GetRequest.SetHeader("Authorization", "key=" & API_KEY)
End Sub
 
Last edited:
Top