3

I was playing around with Firebase Cloud Messaging and trying to send a notification to my app through a POST request. I sent a request to https://fcm.googleapis.com/fcm/send with the following headers:

Authorization:  key=<MY-WEB-API-KEY>
Content-Type: application/json

and my message body.

It works, and that is the problem. How come this isn't a security risk? Anyone that goes into my website and looks at the source can get my web API key and send notifications to any users they wish. The only thing I can think of is that without the FCM tokens they won't be able to send messages to anyone, but then they could send messages to a topic which people are subscribed to...

I also thought I might be doing something wrong by putting this API key in my web app, but it says in the Firebase console I should do so.

So what do I do? Am I doing something wrong here?

EDIT: I made the request with Postman, this is the request it generated:

POST /fcm/send HTTP/1.1
Host: fcm.googleapis.com
Authorization:  key=AIza.....vI
Content-Type: application/json
cache-control: no-cache
Postman-Token: 4dd619e9-5852-4cb5-ba64-61be77478736
{
  "registration_ids":["<device-token>"],
  "notification": {
      "title":"Title of your notification",
      "body":"content of your notification"
  },
}------WebKitFormBoundary7MA4YWxkTrZu0gW--

The key in the authorization header is the one I got from my web app configuration section at https://console.firebase.google.com/project/PROJECT-NAME/settings/general/

ItsaMeTuni
  • 435
  • 4
  • 15
  • If you think FCM is not working the want you expect with respect to security, please file an issue with Firebase support directly. https://support.google.com/firebase/contact/support – Doug Stevenson Dec 14 '19 at 21:25
  • Where did you get the value of `` from? Sending messages should require that you specify the FCM **server** key in the call to the FCM servers. – Frank van Puffelen Dec 14 '19 at 22:28
  • @FrankvanPuffelen I got it from my web app section at https://console.firebase.google.com/project//settings/general/ where it gives you a piece of code to set up Firebase with javascript (https://imgur.com/a/ns3lJRC). – ItsaMeTuni Dec 15 '19 at 19:54
  • That is pure configuration data, which can be freely shared with the users of your app. See my answer here: https://stackoverflow.com/q/37482366. But you shouldn't be able to send downstream messages with just that API key, as at least it should require that you also specify the FCM server key (which is **not** in that config snippet). Can you edit your question to show the exact, **complete** commands you issue to send the message? Feel free to obfuscate the key(s), but please leave their first and last few characters, as they help identifying the type of key you specify. – Frank van Puffelen Dec 15 '19 at 21:12
  • @FrankvanPuffelen done – ItsaMeTuni Dec 16 '19 at 20:27
  • Also, why did the question get downvoted? – ItsaMeTuni Dec 16 '19 at 20:27
  • The `Authorization: key=AIza.....vI` should be the FCM server key. Where did you get this value from? – Frank van Puffelen Dec 16 '19 at 20:42
  • @FrankvanPuffelen As I said earlier, I got it from https://console.firebase.google.com/project/PROJECT-NAME/settings/general/. – ItsaMeTuni Dec 16 '19 at 21:39
  • That is a rather big screen, which is why I'd like you to be extremely specific on where exactly you copied it from. A screenshot is fine, as is steps on specifically what you clicked on. – Frank van Puffelen Dec 16 '19 at 21:49
  • @FrankvanPuffelen Under firebase SDK snippet (https://imgur.com/a/6uqwHfB). It's my web API key. – ItsaMeTuni Dec 16 '19 at 22:14
  • 1
    Yikes. That is definitely not all that should be needed, as it should require the FCM server key, and the token. Now you're only protected by users typically only knowing their own FCM token(s), but it's still not working as I'd expect it. As Doug said, definitely [file a bug report](https://firebase.google.com/support/contact/bugs-features/) for this. – Frank van Puffelen Dec 16 '19 at 22:21
  • @FrankvanPuffelen yep, will do! Thanks! – ItsaMeTuni Dec 17 '19 at 23:37

1 Answers1

0

firebaser here

This turned out to be a bug in the Firebase Cloud Messaging server, which has since been fixed. Sending with the API key from the client-side configuration snippet now returns 401 - Unauthorized, and you'll need the FCM server key to be able send messages.

If you encounter a similar security concern in the future, consider reporting it to Google's Vulnerability Reward Program or through Firebase support.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • I wish I had known about this Vulnerability Reward Program hehe. Well, glad it's fixed. Thanks! – ItsaMeTuni Dec 22 '19 at 19:19
  • 1
    The issue was reported already a few days before you posted here. Otherwise I would've of course redirected you there, as this one was probably rewardable. – Frank van Puffelen Dec 22 '19 at 22:21