Google Auth Vulnerability

Update: Google awarded us a Bug Bounty for this vulnerability on September 1, 2020

TL;DR Firebase Auth has high default quota limits and enables Google identity services without opt in. The API also returns revealing auth failure info (invalid email/bad password). This creates a perfect setup to exploit via brute force attacks.

We’ve been using Google Firebase for the past year at Eureka Surveys and have had a fantastic experience with the product. Firebase’s Firestore database and Cloud Functions have scaled smoothly as we’ve gone from zero to hundreds of thousands of users. We’re a team of two full-time engineers, and Firebase has been the perfect substitute for having to hire a full infrastructure team.

After seeing a lot of success on iOS (100K+ Ratings, 4.8 Star Average), we launched Eureka’s website (eurekasurveys.com) in August of 2020. We were hit almost immediately with a wave of attacks. Specifically, one such brute-force attack exploiting Firebase Auth allowed hackers from Nigeria to log in to several user accounts and drain funds to a hacker-controlled PayPal.

Google has yet to come out with a permanent fix. As of October 2020, any website using Google Firebase Auth with email and password login is vulnerable to this sort of attack. We’ve confirmed this through white-hat attacks on several other sites that use Google Firebase Auth (with permission, of course).

Steps to Reproduce

1. Attacker obtains black market list of millions of leaked emails and passwords. The number of leaked passwords in our industry (paid surveys) is especially high.
2. Attacker visits website backed by Firebase Auth and grabs the site’s public API key from the network call to https://securetoken.googleapis.com/v1/token. Firebase Auth calls secureToken on every request to exchange an Auth token for a refresh token.

3. Attacker uses site’s public API key to access Google Identity Toolkit API, the underlying service that backs Firebase Auth. The attacker then brute forces email-password combinations using the SignInWithPassword method (used to validate login credentials) via the following command:

curl ‘https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=[API_KEY]' -H ‘Content-Type: application/json’ — data-binary ‘{“email”:”[EMAIL]”,”password”:”[PASSWORD]”,”returnSecureToken”:true}’ — referer [URL]

We saw SignInWithPassword being hit at rates of 5,500 requests per minute, with a peak of 90,000 requests per minute.

4. Most calls to SignInWithPassword fail with either EMAIL_NOT_FOUND or INVALID_PASSWORD, but given our large user base, the attacker saw success once every four to six hours. For every validated email-password login, the attacker would then access that user’s account via our website and drain their entire Eureka balance to PayPal.

Even as of October 2020, our Google Identity Toolkit API is still being spammed with thousands of calls to SignInWithPassword every minute.

Solution (Workaround)

Without a permanent fix from Google, the best we can do is stall the attackers. We’ve come up with two workarounds that have so far, prevented any new account compromises:

1. Turn off Firebase Auth sign in with password and only allow sign in through email link. An attacker will still able to check email-password combinations using the Google Identity Toolkit API, but will be unable to log in. The exception to this is if a user uses their same Eureka email and password for their email provider, in which case the attacker has access to the user’s email, and thus their sign-in link.
2. Turn down quota limits in the Google Identity Toolkit Console. Google Identity Toolkit is sneakily automatically set up when using Firebase Auth — we were initially unaware the Identity Toolkit API was even exposed. The default quota value for Google Identity Toolkit API is 30,000 requests per minute per user, where a user is uniquely identified by IP address. Normal user behavior should not require more than five requests per minute per user.

Recommendations to Google

We included the following recommendations to Google in our Bug Bounty report:

1. Change the default quota values for Google Identity Toolkit API to something more reasonable. 30,000 requests per minute per user is not necessary.
2. Block IPs with high error rates. Attackers hit our project from a rotating set of IPs to circumvent rate limits, but with error rates of above 99.9%. Google Identity Toolkit API ought to be smart enough to ban requests from these users.

TL;DR Firebase Auth has high default quota limits and enables Google identity services without opt in. The API also returns revealing auth failure info (invalid email/bad password). This creates a perfect setup to exploit via brute force attacks.

We hope this write-up helps other projects using Firebase Auth protect themselves from this sort of brute force attack. Questions or comments? DM me on Twitter @tomstah.