Firebase Vulnerability : Finding unprotected databases that Google hides

Firebase Vulnerability : Finding unprotected databases that Google hides

A cloud database is a convenient thing: consider that all the work on deploying and configuring the server has already been done for you, you just have to use it! It relaxes admins so much that such databases often remain unprotected and are searched for with the help of search engines. One caveat – this search engine cannot be Google!

Warning

All information is provided for informational purposes only. The author and the editors are not responsible for any possible harm caused by using the information from this article.

Firebase is a cloud platform that was developed by Envolve in 2011. It was originally a database for chat applications, but later became a favorite among developers of massively multiplayer online games. This prompted the founders to split Firebase into two parts: a chat module and a game framework module.

Two years later, in 2014, Google acquired Firebase and continued to develop. There are programming interfaces for this database for a variety of platforms and programming languages.

From a technical point of view, Firebase is cool and handy. It seems that there is no need to twist and finish anything here. But a secure configuration of the cloud base is still needed, and many owners forget about it, being too relaxed. So much so that they forget about the simplest thing – authentication.

We will look for insecure unprotected databases

It turns out that there are a lot of non-password-protected databases on the Internet, and this is easy prey for cybercriminals. Only now you won’t be able to google them, because Google decided that this problem can be solved by simply excluding these databases from the search results. Cleverly! But extremely unreliable.

Nothing prevents us from using another search engine – for example, Bing or DuckDuckGo… They already give out much more useful information.

Search query in Bing and DuckDuckGo

What can you do next after finding domains with vulnerable databases? We open any link – for example, https://hacker-news.firebaseio.com/v0/topstories.json… Information about it is useless, but if you remove the table name from the link topstories and leave only .json, then you can check whether the base is protected or not. In this case, the result looks like this:

{

“error” : “Permission denied”

}

 

That’s right, I personally would be notably surprised if the owners of this site made such a blatant oversight. But some do allow it. Ten minutes of searching the links, and the search will be crowned with success.

Found open database
Open database found

I found something more interesting – accounts with password hashes. It is not difficult to select them from a file with a simple Python script or ути­литой jq.

With help of HashID determine the type of hashes (it was MD5) and drive it into hashcat… If you do not have enough powerful hardware, you can use the online service – tools FindMyHash automatically picks them up. All of these utilities are preinstalled with Kali Linux.

Cracking password via FindMyHash
Cracking password via FindMyHash

We are waiting for ten minutes, and before us are logins and passwords in plain text.

Found base with open passwords in clear text
Found database with open passwords in clear text

Automation

Sitting around, changing search engines and going through all the URLs manually is very tedious. Too often you see “error: Permission denied”. So it’s time to automate! However, programming is not required, because it has already been done before us. Take for example script developed by Francesco Herrera.

The script picks up the URL itself and looks for vulnerable databases.

Download it and install dependencies:

git clone https://github.com/Turr0n/firebase.git

cd firebase

pip install -r requirements.txt

 

And run:

python3 firebase.py -p 4 -c 150 –dnsdumpster

 

Клю­чи:

  • p – indicates the number of threads (default 1, maximum 4);
  • dnsdumpster — генери­рует URL самос­тоятель­но;
  • с – how many domains to generate.

Yes, the script can generate links on its own. More precisely, he does not do it himself, but turns to the DNSdumpster utility for help.

The result of the script
The result of the script

The result shows that from the found bases:

  • 37 urls “broken” or no longer exist;
  • 171 the base is authenticated when accessing data and is protected;
  • one base with suspected vulnerability;
  • 25 bases are unprotected or vulnerable.

__________________________________________________

ProApk on Telegramhttps://t.me/proapk_in

ProApk on Google Newshttps://news.google.com/publications/CAAqBwgKMP_S9AowhYDbAg

ProApk on Twitterhttps://twitter.com/xdapirates

ProApk on Facebookhttps://facebook.com/www.proapk.in