The $4 BILLION Hack That Everyone Missed
HTML-код
- Опубликовано: 23 апр 2024
- I'm always gonna take the opportunity to dunk on Firebase but MAN this was too good. Can't believe the severity of these hacks, nor the insanity of the responses the hackers got.
SOURCES
mrbruh.com/chattr/
env.fail/posts/firewreck-1/
/ xyz3va
kibty.town/blog/chattr/
Check out my Twitch, Twitter, Discord more at t3.gg
S/O Ph4se0n3 for the awesome edit and ThumbnailGirl for the thumbnail 🙏 
Наука
Chattr not acknowledging and then ghosting them is quite normal IMO. They're an AI company. Can we really expect them to conduct themselves ethically?
Open market for ethical AI?
What mandatory reporting is in place? They should have been required to disclose to all the affected users and companies.
its not only AI companies. companies in general are often really bad at handling vulnerability reports. slow response times. bad triage and payouts etc. Microsoft are pretty notorious. payed a dude $300 for wormable 0 click teams rce via a csti -> WAF bypassed xss -> electron jailbreak. they only payed for the xss. because they "only accept rce reports in system applications" even tho teams has 300 million users. Its not just Microsoft I'm calling them out because thats particularly agregious but its actually the standard. not to mention practices like log patching (monitoring the logs to see what bug hunters are doing so you can patch it before the report and avoid paying them. I've had 2 companies do that to me. and a friend had Tesla do it to them. False duping is also a common tactic to avoid payouts. Its ridiculous by mistreating and overlooking security researchers they actively incentivize blackhat activity. Let me make something absolutely clear companies only really care about their users security to the extent that a large breach harms their reputation. If they think it will ONLY harm their users but they the company will be okay. chances are they give no fucks
Who should @@Kane0123
22:43 The screenshot seems to be in Thai. I'm Thai, so I just want to mention that this is probably part language barrier, part social issue in Thailand. See, in Thailand, there's a rampant issue of fake "call center" where a scammer will send a link to a victim to trick them to install remote-access application to their phone and then use that to siphon money from their banking apps. The customer service person probably a.) doesn't know English that well and b.) isn't technical-minded, so when Eva sent a link to them they probably think Eva tries to scam her or something, thus refusing to comply.
Fun fact: gambling, online or offline, is illegal in Thailand. Go figure.
in my country a uni student disclosed a vulnerability in a the capital city's public transportation app where they could set and by tickets and passes for 0 dollar and instead of a bounty or a job they got sued... this is a privately owned but government subsidised company...
Are you referring to Hungary or another country? I know of people who abused this in Budapest (the guy who reported it was arrested). There was no server side validation at all if I remember correctly. You could just send the 0 amount in the POST request and it would blindly accept that.
@@TheOfficialT3Si yep.
That is messed up
I've heard of other stories where a student does the same and they end up arrested with criminal charges. Literally just telling them that if they're going to poke around, do it maliciously and not disclose any vulnerabilities they find.
Similar thing happened in the States, some MIT students hacked Boston city transit. I'm not sure if they reported it through proper channels, but their charges were dropped anyway. There's a Powerpoint presentation about it floating around somewhere online.
It always surprises me when the default configurations for stuff like this isn't the most locked down it can be, so that the admin can peel back just the bits they want.
Also on the bug bounties, it's clear that the people behind this did actual work, that in any respectable company would be a highly paid job.
I never expected the famous firebase being caught exposing privates to the public
I could say the same dev that leak Firebase API Key would leak any API Key hahaha
The issue is they didn't use rules to secure the app, Firebase API keys are safe to be public. The documentation even says so.
@@juanmacias5922 How they are secure in public. Anyone can take your key and use it to show information on his website. For example when you have READ that get data for everybody like products on the website
@@juanmacias5922 even the secrets?? Cuz I have seen so many repos with all the five keys left on github 💀
I was like, aren't they scared?
I had a guy push aws secrets
Will you do a AI dubbed reaction vídeo from this?
5:00 ok, but the kind of people that are going to use Firebase without the necessary rules and precautions would also be completely incapable of implementing a custom back end on their own that wasn’t riddled with vulnerabilities
Then they also aren't qualified for handling private information like people's credit cards, addresses, etc. Who knows if this made it's way towards any medical application where this could trigger millions in E-HIPAA violations alone.
Yes, this part doesn't sit right with me. Implementing your own things to do with security generally is not a good idea. The problem is the intersection between "easy to use" and "possible to mis-configure". I think "easy to use" is only completely true if it is also "easy to correctly configure". The real answer is to teach people which tools are good and bad by this metric, and teach them how to tell.
@@RobFisherUK if you'd argue that someone making a fake donation tap-to-pay box isn't "easy to use" then I think this would be an arguement of semantics
When someone only just approaching the end of their 20s says they feel old, casually dissing most of the worlds population that's already older than them. Hits you in the feels.
yep
Doesn't need to. I just remember my first time having a similar feeling at a similar age and think "welcome to the club" instead of turning it into a dick measuring contest.
I guess I'm too old to feel offended by that 😅
The customer service really hit her with the "ARE YOU A GORL?"
I don't know what would be worse, a bad developer using Firebase or a bad developer rolling their own backend.
Isn't firebase config OK to be exposed and you're supposed to protect yourself with rules?
Exactly, this is in the Firebase documentation.
What is a documentation? something you eat? :o
I used to work with Firebase a while ago so take this with a grain of salt.
Yes, its okay to expose public config as long as you have setup the rules. Without the rules authorization doesn't exist, meaning any user can write to any other user. If you don't setup correct rules then Firebase will keep yelling at you with a red warning, but it is possible to ignore it and still proceed.
@@DiegoxKa apparently something no one reads. This is why the meme of "RTFM" has merit.
@@wlockuz4467 writing Firebase security rules would make you want to kill yourself. Tooling around it is just so sloppy. I once worked in a team who used Firebase where the security rules were basically treated like after-thoughts, at least as long as I was there. No wonder shit like this happened.
And this is why I hate how much the industry is leaning toward low/no code solutions. Sure they’re great to prototype products quickly, but if any of those prototypes take off you’re left with a bunch of tech debt via vendor lockin to some of these backends. The scary thing is that large companies utilise these solutions to build customer facing products without necessarily understanding the implications as depicted in this video.
2:50 in boston they mostly use fayabase
Kudos to Eva and MrBruh . . . I'd have been filling that bag and looking for a nice island with little-to-no extradition arrangements
I wish you would upload thumbnails that dont look constipated
The reality of web development and actually caring about what you publish on a url does that to you.
Wouldn't believe how many times these messages get intercepted or handed directly to a systems admin, and they play it off as them stopping a dangerous hacker, and not a misconfigured service they or a small backend dev team are responsible for. Doesn't surprise me the majority don't offer a bug bounty. You show a lot of these smaller outfits up, and to them, it's job threatening. If you want actual results, get ahold of their sales division. They almost always have a direct line to someone who's in charge, that isn't technical, who is interested in keeping the lifeline of the business up and running. Sometimes it's better to go in via that route, than have their systems admin label you a threat actor without ever getting a chance to speak with them.
For reference PII stands for Personally Identifiable Information, although I guess Private Information gets the gist across.
(edit) I believe PII is the legal term used for the Data Protection act, so that's why it get's used.
In Firebase's defence they show a big red warning when deploying without proper rules. At least they used to when I worked with it a few years ago.
On the other hand, I think its better for any platform to be restrictive by default so in Firebase's case, it shouldn't let you deploy without you understanding the implications of the rules. Something like this probably doesn't exist because the execs think its not important and creates a lot of friction for customers trying out the platform for this first time.
Its the classic example of business goals undermining good security practices.
Dealing with the same stuff at my job. Ship this PWA with hard coded MQTT username and password please. Okay can I at least configure the dynamic security plugin with proper roles so credentials can only do what their supposed to no there is no time ship it now it works.
@@Iswimandrun One thing I learned the hard way was to never build a good proof-of-concept or demo and present it to non-technical higher ups, it will 100% get shipped because "it works".
@@wlockuz4467 It will work tell the credentials get exfiltrated out of WASM and used to do well anything the attackers want.
Nice vid man. I recently heard about firebase and these things, thought it was to good to be true. Automated backend = security failures
"Open garden for me to fuck around in" - Theo
Not sure how recently they changed it, but firebase automatically denies all requests now. Even if you manually "opt-in" to be "open" during dev, it's locked back down after 30 days. You have to explicitly configure it for bad security now.
I think it’s not true that firebase default is without rules. The default today is you choose a write false on everything or you *choose* testing mode with read and write open with a date limit
I have written a Firebase security rules compiler that takes my models and spits out bullet-proof the rules file. The security rules as a markup is so bad there is no way to manually keep it updated, secure and remain sane.
That sounds interesting, is it a public repo?
Sounds interesting, working with firebase rules can be a pain
Firebase's rules files make it very easy to *audit* all access to your database. If you build your own backend between the client and the database, then you have to audit all the code in the backend to confirm no one gets access who shouldn't have it. That's a lot more difficult.
That’s the second weed club pwned in Germany recently. Great job!
Amazing work, thank you for all involved
I feel you on the dunkin. But worse, I live in the UK and there's barely any here. My mum's side of the family largely lives in delaware so always have some dunkin when I go visit at least~
This just cements my believe that if your website uses anything more complex then the LAMP tech stack, it is simply way too complicated and probably insecure as well. The LAMP tech stack is the best tech stack, change my mind.
a 24 year old bug in the GNU C Library (tracked as CVE-2024-2961) that can allow a threat actor to get remote code execution on virtually any PHP application that is running on a system with GlibC (pretty much every Linux Operating system and by extension most websites on the internet) -> Mental Outlaw made a video about it (watch?v=u8jLUjpCWrs)
Sure, here goes: impossible to argue against.
This is hair raising. Great job to Eva and the team who exposed this and Theo for bringing it to the public's attention. I'm a little conflicted however about the fact that this video was released with those vulnerabilities still exposed on many of the sites because ultimately the people who will pay the price are the innocent users.
Well given we are now 4 months on from the hack them trying to got the companies to do something ... it this is the spur to kick them up the arse then all the better
The thing about not saying Thankyou...
I could see that being one of those annoying workflows where once a ticket is closed, it's done.
And companies often don't come back to the reporter to make sure that the situation has in fact been properly handled... Which is good policy.
Google documentations are known to be very poor. I guess they only hire geniuses who can leet code but can't write a proper documentation.
There's not a single mention to guide unexperienced folks in firebase starting tutorial on how to address the key leak problem.
I am not saying that excuses the dev to make that huge mistake but the documentation should def raise a red alert on that!
there is an open API endpoint that takes a firebase API key and allows anyone to create a new user account when user/password sign up is enabled. so yea, you can't just do some simple auth mechanism to check if auth && userid. can't turn off sign ups either. basically needed to use firebase functions to do some automated user activation stuff back in 2018 when I reported this to google. wonder if its any better now.
He said, 'He felt old.' I'm only 37, but I've only learned to hack and defend since a year ago. Just because, I always got hacked (laughing)! Learned to code like 3 years before (Obviously Python). All of this through College. Apparently the best hackers from the jump are the literal 'Script Kiddies....' And yes, I had to learn my terminology from a book (laughs even harder). But now living on my own.... in a college neighborhood of computer geeks, I find that, the ones who are free to do cyber hacks at the earliest age - are the tough ones!
My remote minecraft server monitoring suite literally has the sessionToken, isLoggedIn and then isAdmin as the first three variables declared and set in literally the first bit of PHP on handling a GET request. My security model is literally, if this site gets pwned, shutdown VM, load last ZFS snapshot, start VM, fix vuln, turn NIC back on.
There needs to be a Dunkin' in Seattle.
it is almost like having a clear separation between frontend and backend is a good practice for security :P
GCP was always a hell to work with, it's broken, missing dependencies, and poorly documented every step of the way. And teams who use these serverless shenanigans are often incompetent cronyism hirings. Not surprise by this finding. The way Chattr handle the situation speaks volumes.
Killer content and shirt. Thank you!
I like your videos because they remind me to take everything I hear with a grain of salt!
Suddenly all those hours spent learning how to store secrets properly seem well invested
Felt I was old and old school (in a bad way) not buying the hype of these direct backend as a service platforms, still cranking out my own servers, but now I feel validated. Thanks Theo!!
I feel like with that gambling site I would have used the bank Routing number to contact the banks about accounts being pwned. Their customers might care more than the company.
oh >>>that
In Germany developers get search warranted and sued regularly for this kind of responsible disclosure. My takeaway has been that any sane person should just ignore it when they stumble upon something like this (unless you're a hacker obviously)
What software do you use?
I blame google. Having a tiny bit of convenients in setting up a firebase should not come at a cost of all your stuff getting leaked.
I would like to know if this was a case where even using .env files couldnt protect from the hack
No, to firebase works it needs to “expose” the api keys, to make firebase secure you need to configure the security rules of the application on the firebase console something that the devs in the video didn’t
@10:18 - even worse, there was likely no logging or any sort of audit trail of the actions being taken.
These sites also deserve interest for the fact that they have so many users, and thus must be doing something right on the business side...
2024 is the year of exploits
Coincidentally right after Schwab said so…
"Shoe-knees" Lmao
There is a firebase security rule testing framework that makes testing permissions easy, to make sure people can only see the data they should and can't perform actions they shouldn't. It's good practice to use - your security is then unit tested like all your code. Leaving things wide open is just incompetence, not a fault of the platform.
As a new webdev with anxiety about not being good enough... I find security that 6 months into my journey, I'm already more security minded than professionals in actual companies deploying production code. I can't even begin to quantify the time I've spent on Authentication and Authorization.
The first lesson I got was bcrypt for hashing passwords.... why, in this day, are we still storing plain text passwords?
Why people store plaintext passwords? Ignorance, incompetence, laziness or a combination of the three.
idk, the fact that they had plain text passwords kinda tells me Firebase wasn't the problem. They probably would have messed up a custom backend all the same.
Thought about this: no api-key leak scanner caught this? ... and typical: Authentication != authorization ...
Firebase API keys are meant to be public. You're just not meant to give them so many permissions off rip (referred to as "proper security rules" by the blog post).
@@KebabTM What a bullshit excuse, why do people keep saying that like parrots, what the f....
That goes against every principle of security, like not exposing sensitive data and having multiple layers of security.
That would be akin to, your file system should have proper access rules, now let everyone enter in your SSH server with anon access, right ?
Firebase users are another thing... they're not professionals, sorry. A professional company wouldn't just put the database publicly on the internet. Please hire a backend developer.
@@monad_tcp Read the docs LMAO. It's a public API and it has a public key just like Google maps.
"having multiple layers of security" yet it was completely ignrored by the dev team when they were setting up firebase service. If they didn't care for access rules, they wouldn't for the entire backend system (at least the auth part).
@@svishQ because there are no layers, and no developers, there's only frontend and visual design, and plugged APIs that are made by others, and a bit of glue code.
they don't care about anything, they're just rebranding an API others made and putting a visual panel on top of it.
is that what we call "software development" now ? just user interface, no logic, and databases publicly open to the internet, they outsourced all the development and didn't even bother to properly configure the software they're using as "users".
As others said a lot of times, it is a skill issue. But not a Firebase skill issue. No, Its a software development skill issue.
If you just use others software and correctly configure it, I would still call you developer. But if you refuse to even configure it properly on top of outsourcing everything, and just plopping some visual templates and using others APIs, I find it hard to call those developers.
What is exactly what they are developing ? the scam ? sure its not software with that low level of skill.
I know wordpress resellers that do a better development job that those people using firebase.
Wait, I’m so confused right now. Aren’t developers are soooo expensive that we are all dumb if we are NOT using things like firebase?
Congratulations to Eva and the team
Dude Eve's career is insane. I'm highly demotivated right now.
Passwords in plain text is one of the mistakes that seem to be repeated again and again. Are the existing solutions too unknown or hard to use? The basic account management should be 99% equal to other implementations.
damn even building your own password stuff from scratch is not excuse for plaintext pws.... its so damn simple, to at least hash and salt stuff. I really don't get it...
Companies hiring the cheapest js dev they can find to "ship shit fast"
@@MrLordLowbob even just hashing it would be enough and that would take what, one func call on client and one call on server just before you save it? it's insane
lmao i literally laughed so hard to customer support
19:35
22, stuck in uni, still havent done all that much tbh. man 17 year olds be like.
...so, my little passion project that I'm teaching myself how to make is gonna be in firebase, and now I feel a bit adrift. Firebase seemed like a good place to start, because it shorted the list of things I need to learn and (more importantly) gave me a clear accessible way to deploy as a single individual with no money or organizational backing. It was never going to be monetized, so the stakes aren't too high--I think? But now I'm feeling insecure about this choice, is there some other option I should be working towards instead?
If you intend to keep sensitive information in there then first learn how to protect it. Theo and many of the comments make it sound like you can't build something secure with it but that is not true it's just that you need to take the time to learn how to do it right.
The problem with firebase is that it very easily lets you make your database unsafe so it's on you to make sure you're covered.
My suggestion to you is try to play with it a little and try to understand how it works, then try to play with a different thing and see how they compare.
firebase auth and firebase cloud storage goes hand in hand. there is nothing to be afraid of if you authorize users with firebase auth and provide access to data through storage rules, leveraging firebase auth. just don't forget to set storage rules when you deploy.
This hurts my soul.
If you are creating a new firebase project, a good rule of thumb is to deny everything by default, and only expose database operations, etc. via cloud functions (unless you have need for real time streaming of data from firestore) using firebase admin sdk. This way, you can express your authentication checking logic with actual code instead of firebase's weird and clunky security rules language.
This is how villains get made guys we gotta give em some love and respect
Can the companies that do nothing about it be reported to the authorities ? I know that the EU has very strict penalties for companies neglecting their users data. It's crazy to me that some people care so little about it.
23:25 ahaha sudo rm -rf that baby
This is like the S2 Bucket shit all over again
This is why developers should make their services from 0.. it's better to not have a feature than to have features that you don't know even exists and someone can use them..
Have you talked to Fireship about htis 🤔
I would email all the custoemrs and tell them their data is still exposed.
Dunkin mentioned ‼️‼️
Reading this post and then making a video explaining it is better than just reading it.
Always store API keys in your .env files
And upload it
Firebase API keys are supposed to be used in public (in private wouldn't even make sense) with properly configured security rules, have you ever use Firebase?
@@simp- THATS WRONG
no API key is EVER supposed to be used in public, the only thing that should be public is the token nonce used by the web server to manage the session, all API keys and data about the application go there.
every single web server has sessions for this purpose.
Firebase is just wrong, and dangerous, don't use it. Having the database exposed on the internet is NUTS.
No one exposes a Postgree or SQLServer port on the internet and just says "the permissions should be enough", some might do but it would be a HUGE red flag.
23:11 This is not AI. This is an employee of the company who is pretending to understand English at a high level while basically having no clue whatsoever. Likely they "fixed" the issue by deleting the admin panel because "admin panel" are the only words they properly understood in the report.
I'm salty that at 17yo there is a way to get your name out there like this. When I was that age I had a dial-up connection and no idea that people did this for a job. I had my hands on data I probably shouldn't have had. Now none of that matters and its impossible to find work.
we didnt have youtube, but we still had forums and communities for these kind of stuff.
Making a name for yourself was actually far easier cause the niche groups were smaller
@@darylphuah what niche groups? lol. I didn't know a single person who was interested in this stuff. And when I told the school district that I was able to access student records, they banned me from using technology in the school district for 2 years.
Holy shit. That is insane!
Uhhh Ohhh Gambling establishments... 0% return? We could safely assume IRL casinos are rigged too. Seen one rare moment where the dealer at a table actually put in a shuffled deck in the shuffler, and it came out sorted. This doesn't settle very well with a developer.
Holy balls. I would jump out of bed in the middle of the night to fix an issue like this and compensate the duck out of these hackers if this were to happen to me. Not flirt with them and not fix it after a month
what? why isn't every permission off by default?
Holy crap she's a bad ass at 17 years old.
probably need to check aws amplify too 😅
probably nsa kgb have all those data already
This is how gray hats are created.
Hackers, ethical especially, need to do a little more homework on the company as a whole and assess if throwing a life jacket to them is even a good idea. I admire the hard works of the community and the strives for security, but I know there are some companies out there in the wild that I wouldn't piss on if they were on fire.
It's seemingly a slap in the face from a company when an ethical hacker voluntarily plays hero and saves their server, to get no thanks?
In all fairness the response or lack thereof is not a decision of the company as a whole, but could be more so a communication chain disconnection... or laziness.
How long are the Eva\MrBruh\Logykk's of the world expected to stay WhiteHat... those responses make me want to become Blackhat...
The problem isn’t firebase. Firebase gives the option to be in dev mode or production. Dev gives full access to everything, production restricts access to everything and requires rules to access data. Firebase explicitly says dev mode is for testing only.
You're right but I think what Theo is saying is that the design decision to make it this way is a bad design decision because in practice you get things like this happen.
You could counter that by saying these people who don't bother to read the docs will not make more secure things using other tech but a counter to that is that some other options make it harder to make insecure things
Yeah when I would report vulns back when I was 17 back in the day (so we're talking just putting ' in 50%+ of login forms and seeing the clear sql injection potential, or ?page=../... in the addy) you just got ridiculous legal threats back and then... stop bothering to tell them. A certain huge international bank insisted base64 was encryption too.
Classic base64 encryption. I‘ve been told the same thing about gzip
That kiss sound effect at 40s is weird... Anyone hear that?
ofc - it was a reference to the support flirting
Change the odds and make some money!
What a bunch of idiots.
could it maybe be that those that don't fix this are also breaking EU's GDPR?
1:16 it's not about hiding the keys, these keys are public, the issue is that the Devs didn't secure the apps with the right rules. The documentation even says so. L take, if you are not reading the docs, and not following the suggested security rules, there's no way you can make your own secure backend.
You are assuming most devs actually read docs lmao
Its impossible to not read docs , for making a video theo don't need to read docs but theo should've@@superjke718
@@superjke718 then I go back to assume that a dev that doesn't read docs, will not be able to create a secure backend.
You're assuming that js devs are knowledgeable enough to even understand an inch of security.
@@rnts08 This
Chattr AI is the kind of company that we'd ditch asap if it were one of our suppliers.
Wow!
Biggest issue is firebase rules are written in a stupid language. If they just wrote them in normal js then this would be half solved already
So Android, ios and other types of developers shall learn JS? I agree that firebase rules are not good. But js doesn't seem to be an ideal solution for everyone using firebase.
Instead, I think it would BE BETTER TO have certain presets which you can choose so you don't have to deal with the rules.
YES
I never understood firebase rules
The entire thing is stupid, who thought exposing a database to the internet would be a good idea ?
No one exposes a Postgree or SQLServer port on the internet and with an anonymous login account, and just says "the permissions should be enough", some might do but it would be a HUGE red flag.
humans being lazy is amazing when literal tens of dollars are available for actual businesses to spend on security and get lazy humans.. :return to loop
bruh
AI isn't gonna replace me, these brilliant kids are
Kudos fellas. God speed
Time for me to get crack-a-lackin and go back to school
Amazing devs that do thankless work keep the world going because all it takes is one motivated bad actor to destroy a good chunk of the internet. Completely insane.
Is it really legal to store 125 million records of PII that are only accidentally public? The users who entered the data surely expected it to not be public.
Crazy