search

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Creative Commons Attribution 4.0 International
4.89k stars 718 forks source link

Firebase #128

Open random-robbie opened 4 years ago

random-robbie commented 4 years ago

Service name

Google Firebase

Can i take it over

No - requires txt record to authenticate it so it's not possible.

melardev commented 4 years ago

funny, I was just trying a few hours ago to take over a firebase app, I could not, but what I noticed is that the TXT record is the same for the same custom domain in the same user session, I did not test further, I was lazy, the remaining test is, to check if the TXT record is the same for the same custom domain after logout/login, and most importantly across any account, because if the victim is given a TXT record, but you are given another one for the same vulnerable.example.com, then it is not vulnerable.

melardev commented 4 years ago

@random-robbie This is the TXT record I get when I try to add github.com: google-site-verification=_hFoiuxEK5rlpZZfR8DgLq48UvrqRleu6cat5EBe3x0 Can you tell me if you get the same?

shoeper commented 4 years ago

I get a different one: google-site-verification=vENMi3mjve0BU8HfQLJQ3ts8B9U8IF3UDBdWpN8Y1ls

melardev commented 4 years ago

@shoeper Thanks for confirming. I keep getting the TXT I said at the beginning, so I think we get a constant TXT per account and hostname, that would mean it is not vulnerable since other accounts get a different TXT value.

ankurtehlan commented 1 year ago

Can it is possible to takeover firebase subdomain