PSA: A Firebase Cloud Messaging exploit is likely behind strange push notifications from Microsoft Teams and Hangouts
It seems we can’t go a day without another significant security flaw popping up somewhere in some software or service. This week seems to be the time for Firebase Cloud Messaging to run up against an easily-exploitable vulnerability.
Firebase Cloud Messaging is a framework by Google to help make delivering notifications through apps on almost any platform easier. With some simple configuration of both your app and a server, you can send general or targeted push notifications out to your users within minutes. Most Android apps that deliver push notifications likely use Firebase Cloud Messaging (or the legacy Google Cloud Messaging) to do so. That includes apps from single hobbyist developers to apps from giant corporations like Microsoft and, of course, Google.
And that’s where this exploit comes in. If you use apps like Microsoft Teams or Google Hangouts, you may have recently noticed random notifications coming in, like the ones in the following screenshot. These are from people taking advantage of improper configurations of Firebase Cloud Messaging.
I won’t get into too much detail here, but this issue isn’t really Google’s fault. In order to securely send push notifications, Google requires that the server that’s actually sending them also send a key to validate that they’re genuine. This key is only supposed to be in your Firebase console and on your server.
But the affected apps, for whatever reason, also have the key built into them. It’s not used, but it’s there, in plaintext, for anyone to see and use. Somewhat ironically, Google Hangouts and Google Play Music seem to be vulnerable to this exploit, as well as Microsoft Teams. So it’s sort of Google’s fault, but also not really.
And it can be used for pretty nefarious purposes. While it seems most “implementations” of this vulnerability have only been used to send weird text to people, it is possible for an attacker to execute a phishing scam. The text of the notification could be something like, “Your session has expired. Please tap here to sign in again,” with a URL that gets launched when you tap it. That URL could end up being a site styled to look like, say, Microsoft’s login page. But instead of logging into Microsoft, you’re giving someone your login.
What Should Users Do?
Nothing. There’s not much you, as a user, can do to stop these notifications. You can block the channels they come in on (or block notifications from the app altogether), but you can’t filter out the illegitimate notifications, since, as far as Firebase knows, they are legitimate.
What you can do, though, is be careful. If you get a notification that seems to be asking for your login details—or any other personal information for that matter—don’t tap on it. Instead, open the app directly. If the notification was real, the app will indicate that. Otherwise, it was likely a phishing attempt. If you do tap a notification, immediately close any website that opens up.
And finally, if you’ve already put your password in somewhere through a notification, change it immediately, deauthorize all logged-in devices (if applicable), and enable two-factor authentication if you haven’t already.
What Should Developers Do?
If you’ve implemented Firebase Cloud Messaging into your apps, check the configuration files to make sure your server keys aren’t in there. If they are, invalidate them immediately, create new ones, and reconfigure your server.
Again, this isn’t a very technical article, so you’ll want to visit the links below for more information on mitigation.
Google and Microsoft Responses
A Google spokesperson told The Daily Swig that the issue was “specifically related to developers including API keys in their code for services that should not be included, which could then be exploited,” rather than the Firebase Cloud Messaging service itself being compromised. “In cases where Google is able to identify that a server key is used, we attempt to alert the developers so they can fix their app,” the spokesperson added.
Microsoft issued the following statement on Twitter:
We’ve isolated the source of the issue and applied a mitigation. We’ve confirmed that no further unexpected notifications are being sent to users’ Android devices. Additional details can be found in the admin center under TM221041.
— Microsoft 365 Status (@MSFT365Status) August 27, 2020
Here are a couple of articles that go into much more detail about what this exploit is, how it works, and how you can make sure you aren’t vulnerable. If you’re an app developer, or you’re just interested in checking out how this works, take a look.