LeanSOC • Effortless App Security

https://hyperbooks.app/ helps you keep track of your bills and expenses. It’s easy to use and has a sleek UI. It’s built with React and uses a bunch of Firebase services.

From the hacker side of things, testing Firebase apps still lacks resources and it’s not a well charted road. It brings in great advantages of security but keep in mind that during development you still need to follow secure coding and system design practices.

The vulnerability we came across in Hyperbooks is a simple one and has an easy fix. Due to it being simple, this could also be a low hanging fruit for attackers if the app wasn’t just getting started and had been gaining a lot of attention.

File Upload Vulnerability

When onboarding to the app, you create a business profile where it's possible to upload your logo. It's also available in Business Profile menu after creation.

Clicking on business log to upload an image makes the HTTP request below to firebasestorage.googleapis.com.


POST /v0/b/hyper-books.firebasestorage.app/o?name=users%2FyYtkY24khUZuYu0bUSFeRjl6iyq1%2Flogo.jpg HTTP/2
Host: firebasestorage.googleapis.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0
Referer: https://hyperbooks.app/
X-Goog-Upload-Protocol: multipart
Content-Type: multipart/related; boundary=65857809588408125666515426865397
Authorization: Firebase eyJhbGciO...
X-Firebase-Storage-Version: webjs/11.5.0
Content-Length: 31548
Origin: https://hyperbooks.app

--65857809588408125666515426865397
Content-Type: application/json; charset=utf-8

{"name":"users/yYtkY24khUZuYu0bUSFeRjl6iyq1/logo.jpg","contentType":"image/jpg"}
--65857809588408125666515426865397
Content-Type: image/jpgs

ÿØÿà�JFIF������ÿÛ�C�


		
%# , #&')*)-0-(0%()(ÿÛ�C



(((((((((((((((((((((((((((((((((((((((((((((((((((ÿÀ�àà"�ÿÄ�����������	
ÿÄ�µ���}�!1AQa"q2¡#B±ÁRÑð$3br	
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚáâãäåæçèéêñòóôõö÷øùúÿÄ��������	
ÿÄ�µ��w�!1AQaq"2B¡±Á	#3RðbrÑ
$4á%ñ&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚâãäåæçèéêòóôõö÷øùúÿÚ���?�â´¸Û¹ÉXê2j+¸~]+nÖõ¼ªqÀéXZÛ³^¦ãô ø
...

When this request hits the google servers, you should always use rules in your firestorage config. In this case there wasn't any, so it's possible to use it to upload anything. Since, it's firestore and it doesn't have a functionality execute a file, it's not so severe issue by itself. Here is a html upload:

Visiting this returns the html.

Unauthorized File Read Vulnerability

The firestorage bucket doesn't have any rules implemented for read access. So an unauthorized request to the bucket returns every file it contains. In this case, the only thing stored are logos. The request and its response:

To view its content:

Remediation

We all make mistakes. It's a rush to develop new features and also try to be secure at the same time. That is why we do these audits. Let's look at how we can fix these firestore issues.

Here is an example rule to patch this:


service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow list: if false;
    }
    
    match /users/{userId}/{fileName} {
      allow get: if request.auth != null && request.auth.uid == userId;
      allow write: if request.auth != null
                   && request.auth.uid == userId
                   && request.resource.contentType.matches('image/.*');
    }
  }
}

Apart from this rule, You should also prevent upload of svg files, Which can be set with blocking 'image/svg.*'. That is for cases where the uploaded files are somehow server over your domain. So, any XSS payloads in svg file is blocked.

We thank Samadhi Gunasinghe (Co-founder and Web Developer at hyperreal) for his help on mitigating and publishing.