Firebase Cloud Messaging Vulnerability Potentially Affecting Billions

Priority: Major

Executive Summary:
Users worldwide with Microsoft Teams installed on their Android/IOS devices have reported that they have been receiving suspicious push notifications since the early hours of Thursday 27th August. This follows from the recent uncovering of a vulnerability reported for Firebase Cloud Messaging, in which the exploitation of FCM Server keys, stored within APK files, enabled the broadcasting of push notification messages to anyone using a Firebase-based application. This was achieved by manipulating logical expressions to bruteforce and send notifications to all users subscribed to any topic within an application [1]. The messages have been linked to the Firebase vulnerability as Google Hangouts users experienced the same issue just days prior. Google have since announced they are investigating the issue but have not claimed responsibility for the notifications, indicating some form of exploitation may have occurred.

The potential Phishing implications of such an exploit are extensive. This has become increasingly worrying as subsequent notifications since the initial message “FCM Messages Test Notification!!!!” have been received with appended “s” characters to “Notification” [2]. This could point towards an attempt to manipulate sent messages and, if successful, could be damaging on a global scale if malicious URL’s are pushed.

Since the notifications, Microsoft 365 have posted an update through Twitter, stating that they have isolated the source of the issue and applied a mitigation. They have confirmed that no further unexpected notifications are being sent to users’ Android devices [3]. However, organisations may wish to remind staff to be wary of potential phishing attempts in unexpected notifications.

Detect:
Firebase is widely used within tech stacks and so any developer utilizing the firebase platform should refer to the prevent and react sections of this threat horizon.

A Google spokesperson has said that the issue is “specifically related to developers including API keys in their code for services that should not be included, which could then be exploited”, as opposed to the FCM service being vulnerable itself [4].

The spokesperson also said, “in cases where Google is able to identify that a server key is used, we attempt to alert the developers so they can fix their app” [4].

Affected Products:
It is unclear what specific products are affected but reports of these test notifications have come from a wide range Android and IOS devices. Moreover, due to the nature of the vulnerability, all devices using Firebase based applications should refer to the prevent section of this threat horizon.

As Microsoft have now stated that they have applied a mitigation to the issue and confirmed that there have been no further unexpected notifications, the Teams application on users’ phones should no longer be affected.

Prevent:
Users of Android/IOS devices with Firebase based applications should be cautious and not follow any unknown URLs or messages sent through these applications. If this becomes more of a concern, users should uninstall such application from their devices.

All developers involved in Firebase based projects should inspect their credentials for potentially vulnerable keys. In the case that a server key is suspected to be vulnerable, refer to the react section of this threat horizon.

React:
As Microsoft have stated that they have resolved the issue, no further action should need to be taken by organisations to protect their users from malicious notifications. However, organisations may wish to warn their employees that such an attack is possible, and ask their employees to remain vigilant of such an attack.

As a potential fix for the exploit, developers involved in Firebase projects should delete or regenerate their legacy server keys. It should be noted that deleting the key could be problematic and so developers should only do so if they are certain it will not be used again [1].

Sources:
[1] https://abss.me/posts/fcm-takeover/#defining-impact
[2] https://i.imgur.com/XYdkfFM.jpg
[3] https://twitter.com/MSFT365Status/status/1299066761522757632
[4] https://portswigger.net/daily-swig/google-firebase-messaging-vulnerability-allowed-attackers-to-send-push-notifications-to-app-users