Android Question Google Firebase messaging vulnerability allowed attackers to send push notifications to app users

A

Alex_197

Well-Known Member
Licensed User
Longtime User
More than $30,000 has been awarded for the discovery of a security issue that allowed attackers to send mass notifications to Android users.

The bug, which impacted mobile applications that were developed on Google’s Firebase platform, enabled attackers to send push notifications to all app users, regardless of whether they were subscribed or not.

Firebase is Google’s flagship mobile app development platform that includes messaging functions, database management, and cloud services.

In a technical blog post, security researcher Abhishek “Abss” Dharani explained how casual research and “fiddling” with Android applications led to the impressive payout.

https://portswigger.net/daily-swig/...ckers-to-send-push-notifications-to-app-users
 
Sort by date Sort by votes
DonManfred

DonManfred

Expert
Licensed User
Longtime User
Even if they got warned some developer includes the server key into their apps.
This key is extracted here to send Messages.

Solution:
Do not use the technique in your B4A App. Use a B4J Server app to send the Message(s).
 
Upvote 0
A

Alex_197

Well-Known Member
Licensed User
Longtime User
DonManfred said:
Even if they got warned some developer includes the server key into their apps.
This key is extracted here to send Messages.

Solution:
Do not use the technique in your B4A App. Use a B4J Server app to send the Message(s).
Click to expand...
I'm going to send messages from my web site so I can't use B4J. But I put a key into web.config file of my ASP.NET web site.
 
Upvote 0
Alexander Stolte

Alexander Stolte

Expert
Licensed User
Longtime User
DonManfred said:
Use a B4J Server app to send the Message(s).
Click to expand...
50 cent:
B4X: 
'
Private Sub SendMessage(Topic As String, Title As String, Body As String)
    Dim Job As HttpJob
    Job.Initialize("fcm", Me)
    Dim m As Map = CreateMap("to": $"/topics/${Topic}"$)
    Dim data As Map = CreateMap("title": Title, "body": Body)
    If Topic.StartsWith("ios_") Then
        Dim iosalert As Map =  CreateMap("title": Title, "body": Body, "sound": "default")
        m.Put("notification", iosalert)
        m.Put("priority", 10)
    End If
    m.Put("data", data)
    Dim jg As JSONGenerator
    jg.Initialize(m)
    Job.PostString("https://fcm.googleapis.com/fcm/send", jg.ToString)
    Job.GetRequest.SetContentType("application/json;charset=UTF-8")
    Job.GetRequest.SetHeader("Authorization", "key=" & API_KEY)
End Sub
 
Last edited:
Upvote 0
You must log in or register to reply here.

Similar Threads

mehdi-moradpoor
  • Solved
Android Question Firebase Messaging and ESET Security Mobile
Replies
3
Views
1K
mehdi-moradpoor
mehdi-moradpoor
S
  • Locked
  • Question
Android Question Error receiving message firebaseMessaging Targeting S+
Replies
9
Views
2K
Erel
Erel
M
  • Question
Android Question FIREBASE MESSAGING ERROR
Replies
1
Views
1K
Andrew (Digitwell)
Andrew (Digitwell)
Kope
  • Article
Share My Creation Firebase Notification Messenger
Replies
0
Views
879
Kope
Kope
Angel Garcia
  • Question
Android Question Firebase Push Notification from Mobile to Net Framework?
Replies
1
Views
924
DonManfred
DonManfred
Top