Firebase is one of the widely used data stores for mobile applications. In 2018, Appthority Mobile Threat Team (MTT) discovered a misconfiguration in Firebase instance also called HospitalGown vulnerability. The following are some of the key highlights taken from the research paper published by Appthority Mobile Threat Team (MTT):
- The research was performed on total of 2,705,987 apps and 27,227 Android apps and 1,275 iOS apps were found to be connected to a Firebase database. Of those connected apps, it was observed that:
- 1 In 11 Android apps (9%) and almost half of iOS apps (47%) that connect to a Firebase database were vulnerable
- More than 3,000 apps were leaking data from 2,300 unsecured servers. Of these, 975 apps were in active customer environments.
- 1 in 10 Firebase databases (10.34%) are vulnerable
- Vulnerable Android apps alone were downloaded over 620 million times
- Over 100 million records (113 gigabytes) of data was exposed
- Support for Python 2.7
Say what the step will be
git clone https://github.com/shivsahni/FireBaseScanner.git
Once the script is downloaded, run the script with the required arguments. We can either provide the APK file as an input as shown below:
python FirebaseMisconfig.py --path /home/shiv/TestAPK/test.apk
or
python FirebaseMisconfig.py -p /home/shiv/TestAPK/test.apk
Or we can provide the comma sperated firebase project names as shown below:
python FirebaseMisconfig.py --firebase project1,project2,project3
or
python FirebaseMisconfig.py -f project1,project2,project3
- Shiv Sahni - LinkedIn