Exposed Google keys leaves billions of users open to mass spam and phishing notifications

[HempBoosh]

Summary

New vulnerabilities involving Google’s Firebase Cloud Messaging service could have allowed fraudsters to send mass spam and phishing push notifications to billions of Android users. The exploit involves Firebase, a Google platform that allows app developers to build their apps, and leverages its Firebase Cloud Messaging Service. This was discovered by Abhishek Dharani, a Bangalore-based security researcher better known as “Abss.”

 

Quotes

Quote

 

First described in Abss’ blog post, which is a technical walk-through of the vulnerability, the Firebase Cloud Messaging exploit could allow attackers to send any push notifications to billions of app users, even if those users weren’t subscribed to the various apps’ push notifications. As reward for finding these vulnerabilities in the various apps, Abss and his team received $30,000 in bounties.

The problem lies with how sensitive data – here, API keys – was exposed in the app code (for Android, this is an APK file), allowing anyone to see it if they just dug enough. 

In fact, that’s exactly how Abss was able to discover this particular exploit. “I love taking time to understand things and to slowly connect the dots. The process of finding this was similar,” Abss told CyberNews. After digging through the APK’s .xml and .smali files, the recent Computer Science grad found keys that he thought may be sensitive (rather than ones intended to be made public). 

 

My thoughts

I never thought that an app development API could be a potential vulnerability and yet here we are. Now I won't joke anymore about the overabundance of API's and libraries - having more means we're less vulnerable if something like this come up again. Luckily nothing happened.

 

Sources

https://cybernews.com/security/exposed-google-keys-leaves-billions-of-users-open-to-mass-spam-and-phishing-notifications/

[Fasauceome]

I see now why I got a spam text recently about "a package they received in April" with a link to a giveaway

[WereCatf]

1 minute ago, Fasauceome said:

I see now why I got a spam text

SMS-messages are a different thing and not related to this news.

[Fasauceome]

Just now, WereCatf said:

SMS-messages are a different thing and not related to this news.

I use Google messages which has an internet cloud messaging component, thought that might be connected

[Ashley MLP Fangirl]

laughs histerically in iOS

[LAwLz]

What I don't understand is, which apps did he find the API keys in? At first it sounds like there was some issue with a Google service but when I read his blog post about this it sounds more like he downloaded some random apps and inside one of them a developer had left their Firebase API keys in clear text. If that's what happened, which it seems to be, then it's basically like if someone on this forum left their username and password visible in some screenshot, and Linus went out and paid me for pointing it out because "flaw in image on LTT could have allowed users to post spam messages using other persons' account".

 

Edit: Oh it did not work the way I thought it worked. This seems like an actual exploit in Google's service. He has a detailed explanation on his blog but it's quite drawn out.

 

 

39 minutes ago, Fasauceome said:

I see now why I got a spam text recently about "a package they received in April" with a link to a giveaway

Not related.

19 minutes ago, WikiForce said:

i got two spam in my inbox today and wondered how that was possible because google is great at keeping crap away, this is probably what caused it.

Not related.

 

This is about push notifications. Not text messages or email.

Also, it seems like this was fixed before it was exploited.

[Kisai]

3 hours ago, HempBoosh said:

Summary

New vulnerabilities involving Google’s Firebase Cloud Messaging service could have allowed fraudsters to send mass spam and phishing push notifications to billions of Android users. The exploit involves Firebase, a Google platform that allows app developers to build their apps, and leverages its Firebase Cloud Messaging Service. This was discovered by Abhishek Dharani, a Bangalore-based security researcher better known as “Abss.”

 

Quotes

My thoughts

I never thought that an app development API could be a potential vulnerability and yet here we are. Now I won't joke anymore about the overabundance of API's and libraries - having more means we're less vulnerable if something like this come up again. Luckily nothing happened.

 

Sources

https://cybernews.com/security/exposed-google-keys-leaves-billions-of-users-open-to-mass-spam-and-phishing-notifications/

 

Google Engineers also don't understand their own privacy settings:

https://arstechnica.com/tech-policy/2020/08/unredacted-suit-shows-googles-own-engineers-confused-by-privacy-settings/

 

It does create something of a perfect storm for abuse, where you think you've turned privacy features on or off, and then some malicious thing like spam or phishing ends up succeeding and your company (Google) doesn't even know where to begin to fix it.

 

How about for starters "Turn off messages from those not on my contact list, and not recently contacted/nearby"

 

And yes, there are far too many libraries/frameworks used, and that leads to poor vetting of the security of the underlying libraries, when something as little as the /O3 compiler switch might expose a vulnerability where /Os would not in a compiler since O3 on one compiler is not the same as another.