What can knowledge of FCM server key gives to an attacker?

Question

Let's say, some attacker was able to know FCM "Server key" for some Firebase project (which is displayed in "Project overview" -> "Settings" -> "Cloud messaging" -> "Server key"). Please note that he learned only this key, but no any FCM tokens.

What destructive actions can he make, using only this key? In particular, can he send push-notification to all mobile devices for which the corresponding mobile application is installed? (i.e. it corresponds to this Firebase project)

According to Firebase documentation, sending of push-notifications to multiple devices is able for the following cases:

1. Grouping of FCM tokens: we don't need to worry about it, since attacker doesn't know any FCM tokens.

2. Usage of topics: if we (i.e. server) didn't subscribe any devices to topics yet, we also don't need to worry about this situation (since attacker cannot specify the desired topic for sending).

So, it looks like sending to all mobile devices is impossible for attacker. Do I right?

P.S. My assumption is correct, only if attacker can't retrieve list of all FCM tokens for its server key. Does he really can't do it?

Answer 1

An attacker could use that to attempt to exceed existing FCM limits, which could impact your ability to send messages successfully. Even if you don't use topic messaging today, an attacker might impact your ability to use topic messaging effectively in the future.