Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
HempBoosh

Exposed Google keys leaves billions of users open to mass spam and phishing notifications

Recommended Posts

Posted · Original PosterOP

Summary

New vulnerabilities involving Google’s Firebase Cloud Messaging service could have allowed fraudsters to send mass spam and phishing push notifications to billions of Android users. The exploit involves Firebase, a Google platform that allows app developers to build their apps, and leverages its Firebase Cloud Messaging Service. This was discovered by Abhishek Dharani, a Bangalore-based security researcher better known as “Abss.”

 

Quotes

Quote

 

First described in Abss’ blog post, which is a technical walk-through of the vulnerability, the Firebase Cloud Messaging exploit could allow attackers to send any push notifications to billions of app users, even if those users weren’t subscribed to the various apps’ push notifications. As reward for finding these vulnerabilities in the various apps, Abss and his team received $30,000 in bounties.

The problem lies with how sensitive data – here, API keys – was exposed in the app code (for Android, this is an APK file), allowing anyone to see it if they just dug enough. 

In fact, that’s exactly how Abss was able to discover this particular exploit. “I love taking time to understand things and to slowly connect the dots. The process of finding this was similar,” Abss told CyberNews. After digging through the APK’s .xml and .smali files, the recent Computer Science grad found keys that he thought may be sensitive (rather than ones intended to be made public). 

 

My thoughts

I never thought that an app development API could be a potential vulnerability and yet here we are. Now I won't joke anymore about the overabundance of API's and libraries - having more means we're less vulnerable if something like this come up again. Luckily nothing happened.

 

Sources

https://cybernews.com/security/exposed-google-keys-leaves-billions-of-users-open-to-mass-spam-and-phishing-notifications/

Link to post
Share on other sites

I see now why I got a spam text recently about "a package they received in April" with a link to a giveaway


I WILL find your ITX build thread, and I WILL recommend the SIlverstone Sugo SG13B

 

Primary PC:

i7 8086k (won) - EVGA Z370 Classified K - G.Kill Trident Z RGB - Force MP500 - Jedi Order Titan Xp - Hyper 212 Black (with RGB Riing flair) - EVGA G2 650W - Black and green theme, Razer branwashed me.

Draws 400 watts under max load, for reference.

 

Linux Proliant ML150 G6:

Dual Xeon X5560 - 24GB ECC DDR3 - GTX 750 TI - old Seagate 1.5TB HDD - Dark moded Ubuntu (and Win7, cuz why not)

 

How many watts do I need? Seasonic Focus threadUserbenchmark (Et al.) is trash explained, PSU misconceptions, protections explainedgroup reg is bad

Link to post
Share on other sites
1 minute ago, Fasauceome said:

I see now why I got a spam text

SMS-messages are a different thing and not related to this news.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
Just now, WereCatf said:

SMS-messages are a different thing and not related to this news.

I use Google messages which has an internet cloud messaging component, thought that might be connected


I WILL find your ITX build thread, and I WILL recommend the SIlverstone Sugo SG13B

 

Primary PC:

i7 8086k (won) - EVGA Z370 Classified K - G.Kill Trident Z RGB - Force MP500 - Jedi Order Titan Xp - Hyper 212 Black (with RGB Riing flair) - EVGA G2 650W - Black and green theme, Razer branwashed me.

Draws 400 watts under max load, for reference.

 

Linux Proliant ML150 G6:

Dual Xeon X5560 - 24GB ECC DDR3 - GTX 750 TI - old Seagate 1.5TB HDD - Dark moded Ubuntu (and Win7, cuz why not)

 

How many watts do I need? Seasonic Focus threadUserbenchmark (Et al.) is trash explained, PSU misconceptions, protections explainedgroup reg is bad

Link to post
Share on other sites

i got two spam in my inbox today and wondered how that was possible because google is great at keeping crap away, this is probably what caused it.


The most underrated user and unsung hero of LTT Forum.

Casual Gamer and part time Youtuber.

Day Dreamer but lazy and lethargic when it comes to goals.

Always procrastinating. Avoiding challenges and getting out of comfort zone.

Link to post
Share on other sites

laughs histerically in iOS


Phone: iPhone 6s | 64GB iOS

Laptop: Apple MacBook Pro | Core i5 3210M | 16GB RAM500GB SSD | macOS

PC: Intel S5520HC | 2x Xeon E5620 | RX 4608GB RAM500GB SSD | Bitfenix Whisper 850W | Ubuntu 20.10

Link to post
Share on other sites

What I don't understand is, which apps did he find the API keys in? At first it sounds like there was some issue with a Google service but when I read his blog post about this it sounds more like he downloaded some random apps and inside one of them a developer had left their Firebase API keys in clear text. If that's what happened, which it seems to be, then it's basically like if someone on this forum left their username and password visible in some screenshot, and Linus went out and paid me for pointing it out because "flaw in image on LTT could have allowed users to post spam messages using other persons' account".

 

Edit: Oh it did not work the way I thought it worked. This seems like an actual exploit in Google's service. He has a detailed explanation on his blog but it's quite drawn out.

 

 

39 minutes ago, Fasauceome said:

I see now why I got a spam text recently about "a package they received in April" with a link to a giveaway

Not related.

19 minutes ago, WikiForce said:

i got two spam in my inbox today and wondered how that was possible because google is great at keeping crap away, this is probably what caused it.

Not related.

 

This is about push notifications. Not text messages or email.

Also, it seems like this was fixed before it was exploited.

Link to post
Share on other sites
3 hours ago, HempBoosh said:

Summary

New vulnerabilities involving Google’s Firebase Cloud Messaging service could have allowed fraudsters to send mass spam and phishing push notifications to billions of Android users. The exploit involves Firebase, a Google platform that allows app developers to build their apps, and leverages its Firebase Cloud Messaging Service. This was discovered by Abhishek Dharani, a Bangalore-based security researcher better known as “Abss.”

 

Quotes

My thoughts

I never thought that an app development API could be a potential vulnerability and yet here we are. Now I won't joke anymore about the overabundance of API's and libraries - having more means we're less vulnerable if something like this come up again. Luckily nothing happened.

 

Sources

https://cybernews.com/security/exposed-google-keys-leaves-billions-of-users-open-to-mass-spam-and-phishing-notifications/

 

Google Engineers also don't understand their own privacy settings:

https://arstechnica.com/tech-policy/2020/08/unredacted-suit-shows-googles-own-engineers-confused-by-privacy-settings/

 

It does create something of a perfect storm for abuse, where you think you've turned privacy features on or off, and then some malicious thing like spam or phishing ends up succeeding and your company (Google) doesn't even know where to begin to fix it.

 

How about for starters "Turn off messages from those not on my contact list, and not recently contacted/nearby"

 

And yes, there are far too many libraries/frameworks used, and that leads to poor vetting of the security of the underlying libraries, when something as little as the /O3 compiler switch might expose a vulnerability where /Os would not in a compiler since O3 on one compiler is not the same as another.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×