Bypassing Firebase Authorization to Create Custom app.goo.gl Subdomains
With the discontinuation of Google’s goo.gl URL shortening service, developers and users alike have sought alternative methods for generating short, user-friendly URLs using Google’s ecosystem. One such alternative service is Firebase Dynamic Links, which offers robust, customizable short links designed to enhance user experience across platforms.
Understanding Firebase Dynamic Links
Firebase Dynamic Links enable users to create short URLs that can reliably direct users to specific locations within mobile apps or websites. These short URLs operate on *.app.goo.gl or *.page.link subdomains. Traditionally, each Firebase project received a randomized subdomain under app.goo.gl, such as i63lqb.app.goo.gl, which could also be accessed via a mobile-friendly URL like goo.gl/app/i63lqb/ourLink.
Additionally, Firebase permits the creation of up to four *.page.link subdomains per project, where users can define custom subdomain prefixes. This flexibility supports tailored branding and easier link recognition.
Discovery of an Authorization Flaw
During the process of setting up a new subdomain, a significant API endpoint was identified: /v1/checkValidDomainForProject. This endpoint verifies the validity and availability of a desired subdomain, returning an OK response when the requested prefix is acceptable and unused. Upon approval, the interface enables creation of the subdomain via another API call: /v1/createDomainForProject.
Crucially, altering the domainUriPrefix parameter from the permitted *.page.link domains to *.app.goo.gl surprisingly succeeded. The system accepted a custom prefix on the app.goo.gl domain, a subdomain traditionally reserved exclusively for Google’s official products (e.g., maps.app.goo.gl, news.app.goo.gl).
Security Implications
This vulnerability reveals an alarming scenario:
An unauthorized user can create a custom subdomain under app.goo.gl using the Firebase Console without Google’s exclusive authorization. This flaw compromises the integrity of the
app.goo.glnamespace.
Such exploitation has multiple risks:
- Brand Spoofing: Attackers can generate URLs mimicking legitimate Google services, misleading users.
- Phishing Attacks: Malicious actors can host scams or malware under trusted
app.goo.glsubdomains. - Trust Exploitation: The perceived authenticity of Google domains may be abused for fraudulent purposes.
Technical Analysis
By intercepting and manipulating REST calls, it was possible to bypass intended domain verification rules. The key steps included:
- Querying
/v1/checkValidDomainForProjectto validate the desired custom subdomain. - Sending a
POSTrequest to/v1/createDomainForProjectwith the customdomainUriPrefixparameter set toapp.goo.glinstead of the expectedpage.link. - Successfully registering the custom
*.app.goo.glsubdomain to the Firebase project.
This process bypassed restriction mechanisms that were presumably meant to restrict app.goo.gl subdomain creation to Google’s internal products only.
Addressing the Vulnerability: Timeline and Response
| Date | Event |
|---|---|
| 2018-08-10 | Vulnerability reported to Google |
| 2018-08-13 | Priority assigned: P1 (Critical) |
| 2018-08-14 | Under review and accepted by Google’s security team |
| 2018-08-22 | Fix deployed in Firebase backend |
| 2018-08-29 | Bug bounty reward issued |
Latest Research and Broader Context
Research into URL shortener security continues to highlight the risks associated with delegation and namespace control. For instance, a 2022 study by Agarwal et al. in the Proceedings of the ACM on Internet Measurement Conference found that compromised URL shortener platforms are frequently exploited for phishing and malware distribution, impacting millions of users annually.
In practice, secure domain delegation and strict authorization validation are critical to preventing namespace hijacking. Services like Firebase need to implement robust verification at both API and console levels to ensure malicious actors cannot abuse reserved subdomains.
After this incident, Google reinforced its Firebase Dynamic Links platform to close domain spoofing loopholes. Users and developers are encouraged to audit their projects for unauthorized subdomains and monitor Firebase’s latest security advisories.
Summary and Key Takeaways
- Firebase Dynamic Links allow creation of short URLs on
*.app.goo.gland*.page.linkdomains. - An authorization flaw permitted the creation of custom
app.goo.glsubdomains by unauthorized users. - This exposed serious risks, including phishing and brand spoofing.
- The vulnerability was responsibly reported, prioritized, and fixed within two weeks by Google.
- Continuous vigilance and secure practices are essential for URL shorteners to prevent similar attacks.
