> For the complete documentation index, see [llms.txt](https://bugbounty.s1rn3tz.ovh/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://bugbounty.s1rn3tz.ovh/android/insecure-storage-of-business-credentials.md). # Insecure storage of business credentials ## Description The vulnerability were found in a public car managing app from an international car manufacturer. The app allows car owners of this company to read and manage some information about their car like digital keys, central lock, battery level and others. The app did expose Azure AD Service Principal credentials in an insecure Firebase Remote Config allowing any external app/user with an access to the app to extract them. These credentials allowed successful authentication against Microsoft Azure AD using the OAuth 2.0 client\_credentials flow, resulting in a valid access to a private API that were used to manage actions related to the cars charging. ## Exploitation 1\) The app were a public app accessible from the Play Store. 2\) Once installed, I simply used the app **Rcspy** by **Tushar Ghighe** () that automate the Firebase Remote Config detection and reading for every installed app on the device. {% hint style="info" %} **Note**: Firebase Remote Config is a widely used solution to configure **non-sensitive** components of an app without having to release updates. For example if the app need maintenance, the app owners could just use a config like "IsMaintenance" and switch the parameter from "false" to "true" to trigger a specific activity at launch. Anyway, some developers doesn't know that they are publically accessible because always on client-side. As a result it can sometime happen that developpers put some sensitive information like private API keys, private tokens or credentials in Firebase Remote Config. {% endhint %} 3\) I just analysed the remote configs and found Azure AD Service Pincipal client\_id and client\_secret stored in cleartext.
4\) Credentials validity check
5\) Post-exploitation (out of scope) ## Risks The risks depends on the rights of the service principal user, as post-exploitation were out of scope, it's hard to imagine the real risk associated with this leak but if the user isn't well hardened, well... you can imagine that it could lead to a critical cloud environment takeover in the worst scenario or in a very low impact if the principle of least privileges is respected. ## Reward No reward (Duplicate) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://bugbounty.s1rn3tz.ovh/android/insecure-storage-of-business-credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.