Blinking Robots
Now Reading
MrBruh’s Epic Weblog
Blinking Robots
Blinking Robots
Extraordinary Issues: The place AI Meets Surreal Design
Vibe Coding: Balancing Innovation and Dangers in Software program Growth
Exploring the Way forward for CSS: A Deep Dive into Revolutionary Styling Methods
Korean Air Takes Off with a Contemporary New Look (Much less Than 100 Characters)
Enhancing CSS Effectivity with Logical Shorthands
The Dying of Coding Jobs: How AI, No-Code, and Company Greed Are Killing the Trade
Reviving the Senses: Reimagining Digital Interfaces for a Extra Partaking Expertise
Revisiting CSS border-image (Unlocking Artistic Potential)
Understanding the Distinction Between :is() and :the place() Pseudo-selectors
Zeroheight Releases Its Design Techniques Report 2025
Revolutionizing Net Design: The Important Instruments for 2025 and Past
Exploring Superior Methods for Styling Counters in CSS (Much less Than 100 Characters)

MrBruh’s Epic Weblog

by
January 9, 2024
2024-01-09 17:41:38

Additionally checkout Eva’s blogpost of this occasion.

With an upbeat pling my console alerted me that my script had completed operating, to be exact it was trying to find uncovered Firebase credentials on any of the a whole bunch of current AI startups.

This was achieved by means of a public record of websites utilizing the .ai TLD and parsing the location information (and any referenced .js bundles) for references to widespread Firebase initialisation variables.

Manufacturing: {
    apiKey: "AIza<Insert_Funny_Joke_Here>",
    authDomain: "KFC.firebaseapp.com",
    databaseURL: "https://KFC.firebaseio.com",
    projectId: "KFC",
    storageBucket: "KFC.appspot.com",
    messagingSenderId: "123456789"
}

My hunch was the within the rush to push their new shiny product, somebody would take a shortcut and overlook to implement correct safety guidelines.

The hunch was proper, and it was worse than I may’ve ever guessed.

Meet Chattr.ai

…The self proclaimed AI hiring system that claims to shave 88% of the day off hiring new folks.

They supply their companies to an enormous variety of quick meals chains and different hourly employers round the US, together with however not restricted to:

  • Applebees
  • Arbys
  • Chickfila
  • Dunkin
  • IHOP
  • KFC
  • Shoneys
  • Subway
  • Tacobell
  • Goal
  • Wendys

The Vulnerability

When you drop the Firebase configuration from the JS bundle into Firepwn, you begin out with zero permissions as you may see within the following screenshot.

However in the event you use Firebase’s registration characteristic to create a brand new consumer (you can’t register on their website), you get full privileges (learn/write) to the Firebase DB.

The information it exposes contains and isn’t restricted to:

  • Names
  • Telephone numbers
  • Emails
  • Plaintext passwords (Just some account’s had uncovered passwords)
  • Areas of branches
  • Confidential messages
  • Shifts for the next:
    • Chattr staff
    • Franchisee managers
    • Job candidates

It Will get… Worse?!

Yeah, it in some way manages to get even worse.

When you seize the record of admin customers from /orgs/0/customers, you may splice a brand new entry into it providing you with full entry to their Administrator dashboard.

As you may see under, it permits for much more management over their programs together with accepting/denying candidates and even refunding funds made to Chattr.





Timeline (DD/MM)

  • 06/01 – Vulnerability Found
  • 09/01 – Write-up accomplished & Emailed to them
  • 10/01 – Vulnerability patched
  • No contact or thanks has been obtained again to date

Credit

To my associates who assisted me with this pentest and accountable disclosure of such

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

Blinking Robots

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top