| Titel | INVESTORY Investory(app.investory.toyfactory) 1.5.5 Firebase API Key Exposure |
|---|
| Beschreibung | In the Android application app.investory.toyfactory version 1.5.5, a hardcoded Google Firebase API key was discovered in assets/google-services-desktop.json. An attacker can extract it and use it to anonymously authenticate with Firebase Identity Toolkit. Once an anonymous user is created, the resulting ID token can be used to query the associated Firebase Realtime Database. Depending on the database security rules, this may grant unauthorized read access to sensitive user data. |
|---|
| Quelle | ⚠️ https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link |
|---|
| Benutzer | fxizenta (UID 28116) |
|---|
| Einreichung | 17.03.2026 15:42 (vor 20 Tagen) |
|---|
| Moderieren | 03.04.2026 09:37 (17 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 355075 [Investory Toy Planet Trouble App bis 1.5.5 auf Android app.investory.toyfactory google-services-desktop.json current_key schwache Verschlüsselung] |
|---|
| Punkte | 17 |
|---|