Discovering Unsecured Firebase Databases

It is not news that finding leaked Firebase databases is simple. However, despite this problem being well-known, it is not immediately obvious if any further actions have been taken by Google as added mitigation. To put into perspective the severity of this issue, Goon Security conducted a 12-hour GasLeak campaign and analyzed a treasure trove of leaked data. This campaign resulted in over 13,000,000 records including emails, passwords, phone numbers, and private messages from over 450 databases. Goon Security is working with affected organizations to remediate these unsecured database instances.

GasLeak is a very simple tool that abuses a very simple feature of Firebase realtime databases. When creating a Firebase database the user is prompted to select either a “locked mode” or a “test mode”. The “locked mode” option restricts read and write, while “test mode” allows anyone to read and write. A red warning message is displayed when read and write is allowed publicly.

When a user clicks “Dismiss” this warning goes away and seemingly never appears again.

This means when a developer is finished with testing and is ready to move into a production environment, it is up to them to remember that the database is in a “testing mode”. While this is no fault of Google’s, this leaves a huge opportunity for attackers to capitalize on developers. 

EDIT: Google has made very important changes to this feature. Firebase users are emailed reminders about their insecure security rules, and testing mode now lasts only 30 days.

Data is ordinarily accessed via a JSON file, as shown in the screenshot below.

This means that even if the database was open to the public, you would need to bruteforce the filenames.

However, omitting the filename returns the entire database, skipping the need for directory busting.

Now, all GasLeak has to do is abuse this feature by brute forcing subdomains. Goon Security ran a 12-hour campaign using a wordlist generated from the Alexa Top 1 million. 

Gigabytes worth of leaked databases were discovered, and millions of lines of leaked credentials. Some of the interesting finds are outlined below.

PAN numbers / passbooks

Phone call / transaction logs

Appended at the bottom of 4 of these databases, it appears another researcher made their mark as well.

Team:

  • Jaggar Henry
  • Antero Nevarez-Lira
  • Donald Connors
  • Evelyn Griffin