Google’s Dynamic Links API can be abused to create legitimate-looking short links on any domain, including those owned by attackers, without requiring authentication. This vulnerability was demonstrated through a bug bounty report leading to Google’s partial fix, though the metadata manipulation loophole still poses risks. #FirebaseDynamicLinks #GoogleVulnerability
Keypoints
- Google’s Firebase Dynamic Links can be exploited for malicious short links on any domain.
- API keys embedded in apps allow attackers to generate redirects without authentication.
- Google issued a fix to restrict redirect creation via Allowed Domains but metadata manipulation remains a concern.
- Attackers can craft links that appear legitimate through metadata, misleading users even without redirection.
- The vulnerability highlights the importance of understanding API key usage and domain verification in security.