Firebase

Question

Firebase

random-robbie opened this issue 5 years ago · comments

Robbie commented 5 years ago

Service name

Google Firebase

Can i take it over

No - requires txt record to authenticate it so it's not possible.

MelarDev · Answer 1 · Mon Jan 06 2020 18:05:46 GMT+0800 (China Standard Time)

funny, I was just trying a few hours ago to take over a firebase app, I could not, but what I noticed is that the TXT record is the same for the same custom domain in the same user session, I did not test further, I was lazy, the remaining test is, to check if the TXT record is the same for the same custom domain after logout/login, and most importantly across any account, because if the victim is given a TXT record, but you are given another one for the same vulnerable.example.com, then it is not vulnerable.

MelarDev · Answer 2 · Mon Jan 06 2020 18:11:08 GMT+0800 (China Standard Time)

@random-robbie This is the TXT record I get when I try to add github.com:
google-site-verification=_hFoiuxEK5rlpZZfR8DgLq48UvrqRleu6cat5EBe3x0
Can you tell me if you get the same?

Sven · Answer 3 · Sat Feb 08 2020 19:49:31 GMT+0800 (China Standard Time)

I get a different one: google-site-verification=vENMi3mjve0BU8HfQLJQ3ts8B9U8IF3UDBdWpN8Y1ls

MelarDev · Answer 4 · Tue Feb 11 2020 23:31:11 GMT+0800 (China Standard Time)

@shoeper Thanks for confirming. I keep getting the TXT I said at the beginning, so I think we get a constant TXT per account and hostname, that would mean it is not vulnerable since other accounts get a different TXT value.

Ankur Tehlan · Answer 5 · Sun Jan 22 2023 00:11:19 GMT+0800 (China Standard Time)

Can it is possible to takeover firebase subdomain