FCM keys expose millions of users to spam and phishing
Security researcher Abhishek Dharani, known as Abss, has blogged an investigation related to a vulnerability in Firebase Cloud Messaging (FCM), a cloud solution for messages and notifications on Android, iOS and web applications, which belongs to Firebase, a subsidiary of Google.
The bug, which affected mobile applications that were developed on the FCM platform, allowed attackers to send automatic notifications to all users of the application, regardless of whether they were subscribed or not.
Abss discovered that the code of various Android applications contained unique keys that the FCM service verifies to authenticate messages. With that key, an attacker could create automatic notifications and then send them to users of the affected application, with the content he wanted. If the keys have been exposed, they should be removed from the server and new ones created.
References:
- 17/08/2020 abss.me Firebase Cloud Messaging Service Takeover: A small research that led to 30k$+ in bounties
- 19/08/2020 portswigger.net Google Firebase messaging vulnerability allowed attackers to send push notifications to app users
- 25/08/2020 cybernews.com Exposed FCM keys leaves billions of users open to mass spam and phishing notifications
- 28/08/2020 nakedsecurity.sophos.com Fake Android notifications – first Google, then Microsoft affected