| Título | INVESTORY Investory(app.investory.toyfactory) 1.5.5 Firebase API Key Exposure |
|---|
| Descrição | In the Android application app.investory.toyfactory version 1.5.5, a hardcoded Google Firebase API key was discovered in assets/google-services-desktop.json. An attacker can extract it and use it to anonymously authenticate with Firebase Identity Toolkit. Once an anonymous user is created, the resulting ID token can be used to query the associated Firebase Realtime Database. Depending on the database security rules, this may grant unauthorized read access to sensitive user data. |
|---|
| Fonte | ⚠️ https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link |
|---|
| Utilizador | fxizenta (UID 28116) |
|---|
| Submissão | 17/03/2026 15h42 (há 19 dias) |
|---|
| Moderação | 03/04/2026 09h37 (17 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 355075 [Investory Toy Planet Trouble App até 1.5.5 em Android app.investory.toyfactory google-services-desktop.json current_key Encriptação fraca] |
|---|
| Pontos | 17 |
|---|