Exposed FCM keys leaves billions of users open to mass spam and phishing notifications
[Updated August 27]
The FCM exploit originally discovered by security researcher Abss seems to have hit Microsoft Teams as well. Users have reported receiving mass spam push notifications early in the morning. The news has hit Reddit, with hundreds of users discussing the FCM spam:
While Abss originally showed that the FCM exploit was possible with his proof of concept, users are now receiving mass spam notifications that seems to point that someone has performed this attack in the wild:
I checked in with Abss again, who believes that the latest issue of Microsoft Teams getting FCM notifications is most likely related. He estimated that around 15% of all apps using FCM could be affected by this exploit, which means it's likely to continue unless developers actively mitigate the issue.
Abss told CyberNews: "If you receive the message, there's really no way to tell if it was intended by the Google/Microsoft teams or if it was a curious hacker. It's up to either Google or Microsoft to find that out." However, he had some good news for users receiving the message: "There's no need to worry if you get the message. However, beware that the content of the notification can be controlled by the attacker. It can also contain images (yes, including graphic and disturbing images), so beware of the content and don't follow any links."
The original article follows below.
New vulnerabilities involving Google’s Firebase Cloud Messaging (FCM) service could have allowed fraudsters to send mass spam and phishing push notifications to billions of Android users. The exploit involves Firebase, a Google platform that allows app developers to build their apps, and leverages its Firebase Cloud Messaging Service. This was discovered by Abhishek Dharani, a Bangalore-based security researcher better known as “Abss.”
First described in Abss’ blog post, which is a technical walk-through of the vulnerability, the Firebase Cloud Messaging exploit could allow attackers to send any push notifications to billions of app users, even if those users weren’t subscribed to the various apps’ push notifications. As reward for finding these vulnerabilities in the various apps, Abss and his team received $30,000 in bounties.
The problem lies with how sensitive data – here, API keys – was exposed in the app code (for Android, this is an APK file), allowing anyone to see it if they just dug enough.
In fact, that’s exactly how Abss was able to discover this particular exploit. “I love taking time to understand things and to slowly connect the dots. The process of finding this was similar,” Abss told CyberNews. After digging through the APK’s .xml and .smali files, the recent Computer Science grad found keys that he thought may be sensitive (rather than ones intended to be made public).
“After initially observing these weird keys and their variable names, I started reading a lot of documentation on Firebase Cloud Messaging.”
The most likely attacks using the Firebase vulnerability
After connecting the dots, Abss noticed that he – or any malicious attacker – would be able to abuse the logical conditions and expressions for the Firebase Cloud Messaging system. With this, he could broadcast malicious push notifications to any user of an Android app using Firebase Cloud Messaging Service.
Using this manipulation, an attacker could even send notifications to users who did not subscribe to receive notifications.
With the help of his friend Yash Sodha, Abss found a list of highly popular affected apps that include:
- Google Play Music (5 billion installs)
- Google Hangouts (1 billion installs)
- YouTube Music (100 million installs)
- YouTube Go (500 million installs)
- Smule Autorap (10 million installs)
- Smule - The Social Singing App (100 million installs)
- Deliveroo (10 million installs)
There also seem to be reports that Microsoft Teams may have fallen victim to this FCM exploit, and there are certainly many other apps that are vulnerable.
In total, removing some likely audience overlap, billions of users were exposed to this exploit.
Certainly, the amount of damage bad actors could do with such a vulnerability is limited only by the attacker’s creativity. The major, immediate impact could be a coordinated political intervention, in which an attacker could send mass notifications to billions of these app users favoring one political candidate over another, or spreading false news about a certain candidate, especially since it would come from such a tech titan as Google.
Attackers could also use the Firebase vulnerability to send mass phishing notifications. “Assume a 0.5% success rate on a 1 billion userbase!” Abss wonders. Certainly, that would be a highly successful campaign in terms of absolute numbers, netting the attackers potentially millions of dollars.
Another way for attackers to exploit this vulnerability would be to cripple other businesses’ reputations, including the very app that the notifications are being sent on.
Abss notified the affected vendors of the issue beginning in February, and Google in April. While all issues were patched in July, some vendors have not yet agreed to a public disclosure.
According to a Google I/O Firebase presentation in 2017, more than 1 million developers have built apps with Firebase:
While Abss notified the affected vendors for the apps he analyzed, he believes that there are many app developers with Firebase projects whose apps may still be affected. “My research sourced keys only from mobile app code. Keeping in mind different sources such as GitHub, Gitlab, BitBucket and others that could expose such keys, I would say a good 15% of existing apps might be vulnerable at the given moment,” says Abss.
In that case, developers should check their apps for any potential vulnerable keys. “In order to stop this kind of attack,” Abss told CyberNews, “the organisation has to quickly disable or delete the keys.”
For his and his team’s work, Abss has netted $30,000 in bounties so far, as well as a Google Covid-19 vulnerability research grant.