FCM keys expose millions of users to spam and phishing

Security researcher Abhishek Dharani, known as Abss, has blogged an investigation related to a vulnerability in Firebase Cloud Messaging (FCM), a cloud solution for messages and notifications on Android, iOS and web applications, which belongs to Firebase, a subsidiary of Google.

The bug, which affected mobile applications that were developed on the FCM platform, allowed attackers to send automatic notifications to all users of the application, regardless of whether they were subscribed or not.

Abss discovered that the code of various Android applications contained unique keys that the FCM service verifies to authenticate messages. With that key, an attacker could create automatic notifications and then send them to users of the affected application, with the content he wanted. If the keys have been exposed, they should be removed from the server and new ones created.