| タイトル | INVESTORY Investory(app.investory.toyfactory) 1.5.5 Firebase API Key Exposure |
|---|
| 説明 | In the Android application app.investory.toyfactory version 1.5.5, a hardcoded Google Firebase API key was discovered in assets/google-services-desktop.json. An attacker can extract it and use it to anonymously authenticate with Firebase Identity Toolkit. Once an anonymous user is created, the resulting ID token can be used to query the associated Firebase Realtime Database. Depending on the database security rules, this may grant unauthorized read access to sensitive user data. |
|---|
| ソース | ⚠️ https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link |
|---|
| ユーザー | fxizenta (UID 28116) |
|---|
| 送信 | 2026年03月17日 15:42 (19 日 ago) |
|---|
| モデレーション | 2026年04月03日 09:37 (17 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 355075 [Investory Toy Planet Trouble App 迄 1.5.5 上 Android app.investory.toyfactory google-services-desktop.json current_key 弱い暗号化] |
|---|
| ポイント | 17 |
|---|