Investory Toy Planet Trouble App Firebase API Key Exposure Vulnerability

A vulnerability exists in the Investory Toy Planet Trouble App for Android, specifically in versions up to 1.5.5. The issue arises from a hard-coded Google Firebase API key located in the file assets/google-services-desktop.json within the app.investory.toyfactory component. This vulnerability allows local attackers to extract the API key and use it for unauthorized access to Firebase services. Exploitation involves creating an anonymous user through Firebase Identity Toolkit, which can then be used to access data from the Firebase Realtime Database, potentially leading to exposure of sensitive user information.

Impact

Exploitation of this vulnerability allows for unauthorized access to Firebase services, including the creation of anonymous user accounts that can be used to access data from the Firebase Realtime Database, depending on the database's security rules.

Reproduction

The vulnerability can be reproduced by downloading the Investory Toy Planet Trouble App version 1.5.5 for Android. After installation, the hard-coded Firebase API key can be extracted from the assets/google-services-desktop.json file. This key can then be used to authenticate as an anonymous user with Firebase, allowing access to the Firebase Realtime Database if the security rules permit it.