By Animesh Sasmal Tuesday August 25, 2020
You are not the single one, a mass of Google Hangout users get a test notification which says “FCM Messages Test Notification!!!“.
Some users get 2 notification at a time, some are getting 4 notification with the same “FCM Messages Test Notification!!!” alert. But no one knows why it’s happening.
When you click on the notification it loads up hangouts screen but nothing happens. You will only get the home screen of the Hangout App.
On the internet, Google Hangout users are bursting with their questions from the night of 24th of August 2020. But Google officially doesn’t release any press statement.
Expert says FCM means “Firebase Cloud Messaging“.
Firebase is a Google’s flagship mobile app development platform that is a cross-platform cloud solution for messages and notifications for Android, iOS, and web applications. It is currently available at zero cost for developers. The service is provided by Firebase, a subsidiary of Google.
But an article was written about a week ago (Published on 17th August 2020) that shows vulnerabilities with the Firebase Cloud Messaging Service.
A tech guy cum Bug Hunter Abss recently discover a security issue that allows attackers to send mass notifications to Android users. He received a prize of more than, $ 30,000 for his discovery.
Inspired by #AndroidHackingMonth, Abss started his bug hunting process. Initially, he goes through some testing blogs, latter he investigated the gcp_keys.txt file containing Google Cloud Project (GCP) API keys.
According to Abss gcp_keys.txt file usually stores keys with no impact (as GCP keys can be utilized for different APIs), while investigating he looked into variable names to determine the privileges assigned to the keys.
He found two variables – server_key and notification_server_key – related to the Firebase Cloud Messaging (FCM) service. If FCM is in use, this enables the sending and delivery of push notifications to iOS and Android devices.
He subsequently discovered issues with FCM concerning Legacy Server Keys which might be abused to send requests via legacy HTTP, thereby security block measures implemented within the HTTP v1 protocol, which needs a 0Auth 2.0 access token to send requests.
The scope of the difficulty might be massive, particularly when combined with the server-side ‘topics’ feature that’s used for subscribing app users to different notification categories.
His bug discovery may not be connected to the “FCM Messages Test Notification” alert. But there is a high chance that it is the main reason behind this false alert notification from Google Hangout.