Google Hangouts might not be as popular as it once was, but there are still plenty of people hanging on to it. A good number of Hangouts users across the globe received some strange notifications yesterday, which may be linked to a vulnerability in Google's Firebase platform.
Last week a vulnerability was published for Firebase Cloud Messaging (FCM), which many of Google's apps, including Hangouts, use to deliver notifications. The vulnerability allows someone to exploit FCM keys stored in APK files in order to broadcast messages to anyone using a Firebase-based application — in this case, Hangouts.
Yesterday, some Hangouts users received a suspicious "Test Notification!!!!" alert labeled "FCM Messages." Tapping the message opens the Hangouts conversation list, with no sign of this strange alert anywhere to be seen.
It's almost certain that these two events are related, but we don't yet know exactly what caused the mass notifications to go out. It could be that Google inadvertently sent users a message while trying to fix the issue, or perhaps a curious hacker was poking around to see how far the vulnerability goes.
In any case, the messages themselves have been harmless. Google is aware of the issue and is investigating, and we've reached out directly for comment, as well; we'll be sure to update this post with any developments.
- Glenn Matthys