900 Sites, 125M accounts, 1 Vulnerability

I worked at Firebase for many years and the concerns with security rules have always plagued the product. We tried a lot of approaches (self expiring default rules, more education, etc) but at the end of the day we still see a lot of insecure databases.<p>I think the reasons for this are complex.<p>First, security rules as implemented by Firebase are still a novel concept. A new dev joining a team adding data into an existing location probably won’t go back and fix rules to reflect that the privacy requirements of that data has changed.<p>Second, without the security of obscurity created by random in-house implementations of backends, scanning en masse becomes easier.<p>Finally, security rules are just hard. Especially for realtime database, they are hard to write and don’t scale well. This comes up a lot less than you’d think though, as any time automated scanning is used it’s just looking for open data, anything beyond “read write true” as we called it would have prevented this.<p>Technically there is nothing wrong with the Firebase approach but because it is one of the only backends which use this model (one based around stored data and security rules), it opens itself up to misunderstanding, improper use, and issues like this.

This reminds me of &quot;How I pwned half of America’s fast food chains, simultaneously.&quot; <a href="https:&#x2F;&#x2F;mrbruh.com&#x2F;chattr&#x2F;" rel="nofollow">https:&#x2F;&#x2F;mrbruh.com&#x2F;chattr&#x2F;</a><p>HN: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38933999">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38933999</a>

Correct me if I&#x27;m wrong, but 75% of sites with these vulns are still just hanging out there ready to be dumped, according to the end of this post?<p>Insane.<p>Some days I think one ought to be licensed to touch a computer.

This is the inevitable outcome of picking cheap-fast from the cheap-fast-good PM triangle. Unfortunately for some customers&#x2F;users, their concerns were left out of the conversation and their PII is the cost.<p>I’d be wary of any company listed here that made that decision and hasn’t changed leadership, as it has been proven time and time again that many companies simply don’t care enough about customers enough to protect them. History repeats itself.

I have a very basic Firebase question: are most of the apps described in this post implemented entirely as statically hosted client-side JavaScript with no custom server-side code at all - the backend is 100% a hosted-by-Google Firebase configuration?<p>If so, I hadn&#x27;t realized how common that architecture had become for sites with millions of users.

900 Sites, 125 million accounts, 1 vulnerability, 0 Girlfriends.

The customer support gave me a good laugh. Thanks

Stuff like this, makes me thankful to have chosen password managers and virtual cards a long time ago...<p>Still this makes the interent scarier. Most people don&#x27;t have a clue how fragile the web is and how vunerable they are.

&gt; Turns out that a Python program with ~500 threads will start to chew up memory over time.<p>Anyone have more info about this issue? I&#x27;ve got a scraper myself in Python with a few hundred threads which seems to eat a lot of memory. Any workarounds or is the only solution to rewrite in another language?

Good job!<p>I’d be interested to know how you’re coming to the conclusion that the amount of affected users is likely higher. From the looks of it, I’d suspect that at least some of the sites you mention (gambling, lead carrot) to be littered with fake account data.

That customer support looked like an automated AI response.. But I’m not surprised of the scale, years ago same thing happened with AWS cloud XY service, and you would find the token literally in plaintext in millions of smartphones apps.

Has Supabase learned from this and done a better job?

Great work and an awesome write up.

Can you migrate data from Firebase database to PostgreSQL or similar?

What would be the correct way to set up security to prevent this?

I&#x27;ve never really understood how Firebase makes any sense. Why would you let the frontend access the database directly?

Go for the win.<p>And we&#x27;re still in the Wild West when it comes to internet business even after 20 years of &quot;verified&quot; domains.

Someone should develop a browser plugin to warn you if a site is using firebase...

doing gods work here man, thank you for your work!

Never. Trust. The. Client.

Laughed out loud with the “Customer support tried to flirt with me when attempting to report the issue”, “I want to be your gf, you very smart” lol the print looks like Kik Messenger?

biggest threat on the web is Google. They lower the bar so low that people who have no business collecting user information are collecting user information, then they host it insecurely for you with no liability to the end user whatsoever.<p>Not only that but they provide the same crappy services to schools and scummy gambling websites alike.<p>It frustrates me watching people who believe they are professionals flock to these services. Honestly, if you can&#x27;t roll your own you probably shouldn&#x27;t let someone roll this for you. But Google won&#x27;t say no and none of you cloud devs can help yourself. So we have this race to the bottom in cost and first to market and all the products are least common denominator shit that gets built in 6 hours by copy pasting as many GH repositories together as possible on rented infra.