| Title | INVESTORY Investory(app.investory.toyfactory) 1.5.5 Firebase API Key Exposure |
|---|
| Description | In the Android application app.investory.toyfactory version 1.5.5, a hardcoded Google Firebase API key was discovered in assets/google-services-desktop.json. An attacker can extract it and use it to anonymously authenticate with Firebase Identity Toolkit. Once an anonymous user is created, the resulting ID token can be used to query the associated Firebase Realtime Database. Depending on the database security rules, this may grant unauthorized read access to sensitive user data. |
|---|
| Source | ⚠️ https://www.notion.so/Firebase-API-Key-Exposure-Leading-to-Unauthorized-Anonymous-Authentication-and-Data-Access-in-app-in-3262de3f97fb80f1abe6fb5f3eb373bc?source=copy_link |
|---|
| User | fxizenta (UID 28116) |
|---|
| Submission | 03/17/2026 15:42 (21 days ago) |
|---|
| Moderation | 04/03/2026 09:37 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355075 [Investory Toy Planet Trouble App up to 1.5.5 on Android app.investory.toyfactory google-services-desktop.json current_key hard-coded key] |
|---|
| Points | 17 |
|---|