Google Firebase Cloud Messaging offers spam tier for some – no account required, just knowledge of bad security

All that's necessary is willingness to abuse server keys exposed in apps and some technical know-how


Ten days ago, Abhishek Dharani, a Bengaluru, India-based bug hunter who goes by the name Abss online, recounted how he received a reward from Google for reporting a vulnerability in Google's Firebase Cloud Messaging (FCM) service.

Dharani found that he could extract FCM server keys from Android apps, and use those keys to authorize Firebase to send push notifications to users of apps that implemented FCM as a messaging backend – such as Google Hangouts and Google Play Music.

The find, detailed in a lengthy writeup, was enough for Google and other participating vendors to pay out $30,000 as a bounty..

But over the past few days, users of the Android versions of Google Hangouts and Microsoft Teams have reported being flooded with notification spam.

It appears someone has taken Dharani's research and is using it to send spurious messages to FCM-dependent apps.

"I do believe that someone actually has implemented my proof-of-concept exploit," Dharani told us.

His research involved downloading a large number of Android apps and probing them for exposed server keys.

Asked why the problem seems not to have been fixed despite being reported to Google, Dharani said, "It's all about exposing that secret key. Google Firebase says it in their docs to keep them secret. If the secret's out, there's not much to fix. The fix has to be implemented by the affected organization itself and it isn't something that Google could fix permanently."

Dharani said all his reported bugs were disclosed to Google because it was their keys exposed in their own apps. He believes Google has fixed its apps by replacing the key. "But apparently it could be possible that another key was exposed elsewhere and a curious hacker might have taken advantage of it," he said.

Cyclist falling off his bike

From Gmail to Gfail: Google's G-Suite topples over for unlucky netizens, rights itself

READ MORE

"There's no need to rebuild the Android code," he added. "It's a pure server-side re-implementation. Deleting the key from the respective Firebase console will solve the issue."

Until a few hours ago, the closest thing to official advice from Microsoft was to ignore the messages.

But now Microsoft says the problem has been dealt with. "We've mitigated an issue where some users were receiving test notifications on their Android mobile devices," a Microsoft spokesperson told The Register in an email.

The Register asked Google for comment but we've not heard back. ®


Biting the hand that feeds IT © 1998–2020