Bypassing Firebase authorization to create custom subdomains

Since the support of has already ended, I’ve been looking for ways to shorten URLs using Google services.

Some time ago I found a bug that allowed me to shorten links using Google’s official shortener.

This time I took a look at Firebase Dynamic Links.

Firebase Dynamic Links

They work by allowing you to create short URLs on either * or * subdomains.

Before subdomains in Firebase were discontinued, there was a randomly generated subdomain for each Firebase project, something like It could also be accessed via (= on mobile devices).

You could also create four more * subdomains, but this time you could choose your own subdomain.

Setting up a new subdomain

When I was setting up a new subdomain I noticed an interesting API call.


This returned an OK response in case the subdomain I wanted to create was both valid and not already in use. In case it was OK, the Create button was enabled and I was able to create it. Otherwise, it showed an error.

Once I clicked the button to create it, another API call was fired, this time to:


also containing the desired subdomain in its body.

If I let the POST call through, it would successfully add the subdomain to my project.

But let’s go back to the last API call. Since we know there are two types of domains we can use to shorten links in Firebase, let’s try to replace the value of the domainUriPrefix parameter from with

Surprisingly, this actually worked. A <myCustomPrefix> subdomain was added and could be used in the project.

Since custom * subdomains like or are used only for official products by Google, they should be registered only by them.

This leaves us with the following attack scenario:

A regular user can create custom subdomains on via the Firebase Console. This should be possible to do only by Google.

2018-08-10Vulnerability reported
2018-08-13Priority changed to P1
2018-08-29Reward issued

Written by Thomas Orlita
Follow me on Twitter: @ThomasOrlita / Mastodon: