Today you may have received a Teams notification on your phone with a message similar to "FCM Test Messages", we're going to explain what that means, what's going on, and what you need to know going forward.
To understand what's happening, first we need to understand how push notifications work on modern mobile devices. For an app on your phone to know that something has changed, for example a new email is available or you have a new message, there are two approaches.
Either the app could send a message out and ask if there's any messages periodically, say every five minutes (aka polling), or the service could send a message to your phone to let it know as and when there's a message available (aka push notifications).
Polling has several disadvantages - new messages or information would only come through every so often in batches, rather than updating live - and the app on your phone would need to be running in the background to send the requests, significantly draining battery life.
Push notifications solve these issues by having the service the message is coming from tell the phone when new information is available. However, for a variety of reasons that we won't go into in this short post, this is tricky to implement and run, so most apps use a third party service - one of the most common being Firebase Cloud Messaging, which is run by Google.
What's up with FCM?
Recently, Abhishek Dharani, a Bangalore-based security researcher known as “Abss.” found a vulnerability in the Firebase Cloud Messaging
code (correction: The vulnerability is caused by a misconfigured authentication key in apps, not in the FCM code itself), which allows an attacker to send push notifications to any phone with a vulnerable app installed - it's estimated that 15% of apps that use FCM are vulnerable to this attack - and FCM is used by many apps, including
Since this information was published on August 17th, a number of apps have had mysterious push notifications sent to their users, the most recent being Microsoft Teams.
What do I need to do?
While so far, there have not been any known malicious notifications sent, its very possible that this exploit will be used to phish for personal details, by sending a notification with a link to a malicious site, that appears to be from the genuine app. There is no direct cybersecurity risk, and none of your data could be accessed directly, however for the time being until the vulnerability has been patched from major apps, or FCM implements protections, you should be very careful not to click on notifications that ask for information, ask you to login, or enter any details.
For further protection against phishing, you may wish to implement Security Keys, as discussed in a previous blog here. Additionally, IT+X is offering a free, no-obligation IT System Audit, including a Security review. Get in touch here.