125 Million Effected Accounts By FireBase Configuration
HTML-код
- Опубликовано: 11 сен 2024
- Recorded live on twitch, GET IN
Article
env.fail/posts...
By: mrbruh, xyzeva & logykk | env.fail/about
My Stream
/ theprimeagen
Best Way To Support Me
Become a backend engineer. Its my favorite site
boot.dev/?prom...
This is also the best way to support me is to support yourself becoming a better backend engineer.
MY MAIN YT CHANNEL: Has well edited engineering videos
/ theprimeagen
Discord
/ discord
Have something for me to read or react to?: / theprimeagenreact
Kinesis Advantage 360: bit.ly/Prime-K...
Hey I am sponsored by Turso, an edge database. I think they are pretty neet. Give them a try for free and if you want you can get a decent amount off (the free tier is the best (better than planetscale or any other))
turso.tech/dee...
For those wondering, Firestore rejects all requests by default. You have to set up security rules to access data. You do have the option to run your database in test mode, where all data is publicly available. I’m guessing a good percentage of this data was exposed because the database was in test mode.
Exactly, and because the devs did not RTFM...
In fact test mode is disabled automatically after 30 days. So it has to be deliberately set to public access after that period.
@@soverainyeah, I was thinking the same…devs stay wondering why ITOPS and SecOPS give them crap about their dev and prod environments…here’s why..
Doesn't matter. Passwords should never be saved as plain text, period.
@@ericjbowman1708 If the password isn't stored as plain text in a txt document, then how will the logins work? I can't remember what day of the week it is, much less my password (currently it's P4ssw0rd)
U meant affected*
effect(users)
*You
"U" is not a word. Also, you wrote a sentence without a period (big no no).
@@trappedcat3615 Your first sentence in your comment doesn't have a period, lol.
@@trappedcat3615 You put the corrective asterisk on the wrong side of the "You". Also, you didn't hyphenate "no-no".
@@trappedcat3615 What about sentences with two periods..
My interpretation of the "do you have a girlfriend?" message
- support person being customer-facing has *zero* idea what Firebase is
- they get the message, and think it's a scammer trying to get them to do some exploit
- they "play around" with the scammer and respond jokingly
Yes I've done this with scam text messages lol
Likely. And anyway, it's advantageous to try the guy to open up for free and 99% of them will be guys.
or they are the scammer and just don't care that they're exposing data.
Or it was a scam organization's hired underpaid 14 year old Indonesian girl as customer support
The unencrypted passwords on the gambling site aren’t a bug, it’s probably a feature of the identity theft honeypot.
Wouldn't the thief want it encrypted for themselves
You generally don’t encrypt passwords, but you rather hash them
@@pianochess1882 a hash is a one way encryption.
s/Effected/Affected
Maybe 125 million accounts were created.
The typos are intentional to make you comment and get the algorithm to boost it
Reminds me of a video I saw recently ruclips.net/video/CzXJ0i4xABI/видео.html
@@omri9325 That makes sense. He is a clown like that.
This is funny, I remember setting up a firebase project while I was in school and thought it was really stressful having to teach myself how to be secure handling information. I thought about how there was tons of projects that probably aren't setup correctly and didn't do anything about it because I assumed I just had skill issues and everyone else knew how to be secure with their firebase setup.
I never thought about it being considered a major vulnerability like this...
Are there bounties for stuff like this where it's a documentation vulnerability?
it isn't a vulnerability lol the site owners quite literally ALLOW you to fetch from db they just didnt care about permissions
@@ValipPowa I wouldn't have considered it a vulnerability either, but there are a lot of people just learning firebase and don't recognize that the doc sets default users to read/write.
In a roundabout way this caused a lot of people to have their PII stolen. Is it google's fault? idk.. its a weird situation. It does look really bad on them though when so many of their users have this kind of problem from following THEIR instructions.
@@caseykawamura8718 No, it's not r/w by default. Some people say you'll need to enable test mode to make it r/w and it's automatically disabled every 30 days, but i can't confirm it, i haven't use firebase in years
Well that’s just a problem in software in general, people never think about security initially. It’s never a skill issue to think about security first, actually the opposite. If you think it was stressful in the beginning, it is dam near impossible when you already built your system and did not put one thought into security
firebase sends me an email every four hours saying "any user can read your entire database" which is the entire point of my site. I know that's a separate issue from users exposing their auth keys but at least firebase cares a little
Almost every Influencer "Just use third party services, it's inherently safer than rolling your own..."
Doesn't matter what service you use or if you roll your own. A skill issue is a skill issue.
In most cases password hash + salt approach is more safe for users and more convinient for devs (you can do awesome things when you define how auth works). To be honest, its not skill issue - sometimes doc for such services sucks. Its easy to setup, but there is no nuances and creators thoughts on whats happening and how its working.
I usually try to be safe by using a social provider and not touching a user's password with a ten foot pole. When I need to store their email or phone number or other PII, I set up a security rule on the Firestore collection that only allows clients logged in as the user to access that particular user's data, but no one else's. Firebase docs provide a pretty specific config for that exact use case.
There are way more skill issues when rolling out your own, than by just reading the documentation. Firebase plainly states that you need to set up the rules.
@@juanmacias5922 Rolling your own has the same security concerns as getting vendor locked in a 3rd party system and I see no difference. I moved back to python, php and even c/cpp... JS/TS ecosystem is all messed up and just a big circle jerk of new shinny things and serverless venders being promoted by influencers... Not reading docs is a skill issue, I even struggle with it myself.
At some point I'll port some things to rust...
@@andythedishwasher1117 How hard is it to argon2 hash a password and then later compare it when a user logs in. Your basically just running an api key and off loading the login to a third party that has a bigger target on it's back. If your api keys gets compromised your users are exposed and you expose yourself to high fees when your api key is used for nefarious reasons. Also, if your third party provider goes down as most of them are on AWS which has an even bigger target on it's back your users are still screwed.
Interesting fact about casinos: a lot of the elderly folks you see in them don't really care about winning. They're there because it averages out to be cheaper than retirement home rates, and the first aid training of the security staff tends to be pretty good.
Are they sleeping in the casino?
i see no sources in ur comment and this doesn't seem that plausible but imma take your word for it because its kinda funny
@@nikolaygruychev2504 same. It's probably BS, but I will believe it because it's a good story.
I wouldn't call this a vulnerability, i would call this a skill issue
Same thing
@@davesomeone4059 yes and no. Buffer overflow and memory vulnerabilities are technically skill issues. But I wouldn't put them on the same level as not setting up permissions for your database properly/at all
No, configuration issues are the dev's fault @@davesomeone4059
Used Firebase for a project several years ago. Setting up the DB auth rules was the most convoluted and meticulous thing I've ever had to do in software development. I can see how it could easily be screwed up. (I'm assuming the general method is still the same as it was back then.)
It wasn't even remotely as hard as securing backend with sql db or mongo.
Protecting against sql injection, ddos attacks etc is way harder than writing a few firebase rules.
@@adriankal Funny, those things seem easy to me. I guess we all have our different tolerances and blind spots in development. However, my application required way more than "a few" rules.
We are going to have to talk to Fireship about this
I have to put some of this on Firebase for using a really confusing and relatively unique configuration syntax for security rules. However, it is pretty clearly documented at the moment. My guess is a lot of this is a relic of when it was NOT clearly documented. Probably a lot more of it is incompetent business owners and/or contractors who just blindly clicked default options in order to post up something quickly/impressively, possibly with the intention of reconfiguring it before pushing to prod, possibly ignoring the warnings entirely. Either way, this is a pretty massive blow to the platform's reputation.
effected. verb. caused something to happen; brought about.
affected. adjective. influenced or touched by an external factor.
Effected can also be used as an adjective but obviously that wasn't the intent here.
1 streamer effected by Flip's editing today 😅
I wouldn't say firebase gives "zero warnings", but maybe i just don't know that they existed in my apps that used it. Specifically for firebase realtime, it's easy to misconfigure something, but I think they do let you know when you're configuring something that could lead to security vulnerabilities.
I'd just assume most of these things would be discovered before going to prod.
AFFECTED*
kudos to the 2 sites that offered bug bounties.
I have accessed so many firebases from years.
But the meat is they were teachers on RUclips who teach about development 😂.
Many of them had write access
The fact 75% DIDN'T fix their database, would it be responsible to release the source of the script so that everyone can grab the data?
AFFECT*
Doesn't firebase specifically have a mode for local hosting so you can test your security rules before putting them in production?
Yes, and also a unit testing framework to test the rules with every scenario you can come up with. This is 100% a skill issue.
@@intesoft-inc I thought as much
GCP is very loosey goosey with permissions. For example, creating a user in the cloud database gives them all the permissions. It's up to the concerned IT guy to then go into the database instance to limit the permissions.
'Affected' brah
Theo going to be mad
Yup, Theo was first.
Affected
The fact that they were surprised at Python's poor handling of threads and memory makes me think they don't know Python. That's kind of common knowledge under things Python doesn't do well.
Makes you wonder whether you can use the skill issue of gambling websites against them, and tip the odds in your favour.
I think they must be putting all their efforts in getting the odds in their favor, so that might be hard.
Im honestly glad that i decided to move to supabase as a solo developer. Its just horrible in so many ways.
User passwords store in plaintext - I think we put some of this down to skill issues.
Good chance this is only the surface. How many sites allow unauthorized access to cloud functions. Just a simple example probably without any security concerns, but one of the sites has a simple function to get the server's unixtime. There's no need for it to be open and firestore can check that request come only from the site itself. How many POST requests behave the same way?
"We set to work scanning the entire internet for exposed PP uh PII" Is that a Freudian slip? 🤔
there's PPI and PII, PPI - Protected Personal Information.
Firebase auth system does not store password in plaintext isn't it. You need to put effort to store password in plain text, it is closer to malicious than incompetence.
Frankly, that's hardly a Firebase issue, since it defaults to denying all requests, and you have to write rules to decide what's allowed, usually depending on logged-in user (eg. the logged in user can see his own profile record). And anything you'd read via the admin SDK, you wouldn't allow at all.
Those "developers" either intentionally wrote in the config to allow all requests, or actively put it in test mode (used for development) every 30 days (since that mode expires after 30d), and ignore the regular warning emails that they get from the service. It's one of those cases where the tool does everything right to protect you, but you still go against it and all its warnings and open everything.
Prime, you know what you've done... I'm curious how much it will affect your numbers.
SaaS apps are insecure by design because it's easier for developers to get started. It's a business strategy, a fine line to walk between security and ease of use.
I got into my community colleges website that way lol. People will ALWAYS be a point of failure
Is it really legal to store 125 million records of personal information in a private database, considering that data was only accidentally public?
Affected*
To be fair, I think there is some kind of warning, everyone just ignores it during development ans forget to change it and reset those security rules when publishing
THERE IS A GODDAMN WIZARD WHEN YOU CREATE THE DB THAT HANDLES THIS
none of the default options allow unauthorized access after 30 days of the db creation, any fully public access config is 100% responsibility of a lazy dev that probs should be fired, yes, skill issue
if you select "test mode" it'll allow unauthed for 30 days
"production mode" will only allow authed access
I'm pretty sure that a python program with ~>1thread will start to chew up memory immediately. I'm not a python hater, it's a great tool for mathematicians(lol Julia dead lang) and other grad students in stem.
RooBet, although RooBet publishes their starter seeds so maybe it's not the best example of degen unreg?
Not exactly a security risk, but there was a moment when I inadvertently made a infinite loop that was:
1. Making a lot of writes to Firestore
2. Spamming users with notifications
Later I saw that it had >2B writes and 700 US$ of cost.
wow, you had to pay for that ?
was it a personal project ?
@@DaVinc-hi7hd Nope and Nope. Fortunately, the company was like "Eh, that kind of thing happens, we'll cover this time. But make sure to test properly next time!*
@@crisdebug8675 oh, that's very kind of them !!
how much time did it took for those >2B writes to complete/you to notice ?
@@DaVinc-hi7hd it was a couple of hours. I was going to check something on the firebase project, and saw the initial dashboard and thought "Wait a second, why Firestore has a 2B on it?"
Misleading I feel like, it's more companies not caring about security, it's super obvious if firebase is allowing full access.
Yeah - if you started a project and you use client side queries - its open by default and emails you everyday after awhile to edit rules.
@@user-kh3ub8hs4e God i forgot it does email you.
Bro you don't even need to be a hacker, just be a magpie and scrub the floor
Called it Catalyst.. the brand name of a Cisco appliance. Ironic.
Nice move Flip xD
Shouldn't the title say "Affected", ser?
10:40 is it possible they were looking for hard-coded API keys/high entropy secrets? I've seen shit like this in production far too many times for comfort.
...agen!
So much of this isn't firebases fault as much as - firebase is a very easy tool to use and attracts ... less skilled people.
This not even includes the common read all access if signed in...
Yeah, there is a really high change they gave * access to every collection and just filtered with the user id...... I've seen that before and makes me sad
Yeah, I think that's the default rule set lol. It is at least a common intro example which people probably often don't change.
@@Nocare89 Tbh it's been a long time so I don't remember, but I think you get a warning when trying to deploy the project if your rule set is default?
yeah..... I had a LOT of troubles configuring that file years ago
@@Fernando-ry5qt If there is a warning it is just buried in terminal output. I think you get a warning in the console site if you have global read permissions but I'm not even confident with that one.
You could just craft a google search for domains which include firebase sdk files or urls.
Thank god its not just me making horrible firebase rules. Cant figure out how to give my users the access they need, while prohibiting what they dont.
Skill issue.
ever thought about not putting users data somewhere you can’t control?
@@britneyfreek I have zero users, and am developing for fun, should have specified that users=null
Still learning!
**AFFECTED*
They should make their code public or host on a website so people clan check their own website for vulnerabilities
It's "affected", not "effected."
I remember having to limit Python max threads because every pc in the office would fail at different max counts 😅 thanks windows.
Who in the world saving password as a plain text!?
"Affected" .. please!
affected*
Just want to say: Affected
Lets talk about the 0% payout on some of these gambling websites.
If you want something done right, do it yourself. except that if you do it yourself, your whole database is already on the internet
Sounds like client state not being server state checked.
That's the natural consequence of putting Row Level Security in the hands of ignorants. Or just people who don't care.
*Affected
Only clicked on the video to say this
@@duckner maybe it's intentional then 😂
"125 million accounts, 1 vulnerability" sounds like a porn title for robots
Bruh, firebase has auth, why store plain text passwords.
You don’t need to know anything about Firebase. Run very very far away
watched
just giggling doorhandles. wow
DUDE !
Prime .. I'm disappointed .. it should have been, "I've never configured firebase, let alone misconfigured it"
They used multiprocessing not threading. They have copied the same process with different inputs 500 times. *Skill issue
Why wait for the thing to complete then go on with the next step obviously you'd have a bunch of data to work with along the way while this script was at work and then why would you manually go through anything when you just wrote a script to dump a bunch of stuff in a file for you to go over it makes no sense
The real skill issue is not having time to understand first hand, the 3rd party protocols we rely on.
*affected
How much you wanna bet Upwork is about to be flooded with requests for "Firebase experts"?
Ligmed a lot of memory
SEESH
Python the only true thread ripper
firebase, supabase.... sick of all this bullshit. Yeahhh I know, it scales so gooood for a superlarge start-up scenario. goosh wake up.
"should have been Rust" 😂
affected
I just came here to say affected. Bye!
put all your privacy into the cloud and don’t ask questions they said.
anybody who says that is either dumb, sadistic or stands to profit from it somehow
Firebase security rules and their documentation are a horrendously poor way of managing the entire system. You cannot perform any regex in the rules themselves. It’s a disaster.
Incorrect, you have access to a weird google specific regex that's really hard to test a working version of outside of the rules engine itself. But it does work just fine.
I would instead point to the lack of 'else' statements which really messes with a modern programmer.
That and ternary conditions which evaluate all paths regardless of the designated winning path from the primary condition.
@@Nocare89 I tried it to match user names, doesn’t work. We have no idea how to work around it atm and are looking at custom encryption.
stupid things like this are going to lead to the forcing of a digital ID :(
nothing to hide, nothing to fear.. unless you are in a fucked up place I guess..
Dumpster firebase
i hate firebase
>effected
loool and all these "ex-Googles" judging PHP and WordPress 🤣🤣🤣🤣🤣
U have a critical issue! All your customer data is exposed!
Ok so we have a slot open in 2 sprints...
No one is properly appreciating just how blazingly fast low code solutions helped to make this. They would have been so slow to market with their insecure products have to write all the code and infra themselves. #EveryoneShouldCode
Not so prime grammar/spelling.
Its affected, not effected.
You are a Muslim 😍
Fifth
Damn, now my SATAN stack won't work
@ThePrimeTimeagen, firebase skill issues