Firebase is a mobile and web application development platform developed by Google. It offers a wide range of services that simplify the creation, testing, analysis and monitoring of applications. The Realtime Database is a real-time cloud database that allows developers to store and synchronize data between users in real time. It is particularly useful for all those projects that require instant data updates: think, for example, of real-time chats and collaboration apps.
A tool like Firebase is made up of numerous pieces: among them there is also Firestorea NoSQL database that offers advanced features such as complex queries, autoscaling, and real-time synchronization.
The Cloud Functions of Firebase allow developers to write and deploy code serverless which is activated in response to specific events, including within other Google Cloud services. They are useful for performing backend operations without necessarily having to manage a server.
Advanced tools for monitor performance of applications, theengagement of users and their behavior, allow you to extract detailed data on user sessions, events and much more.
Firebase is used in a wide range of applications, including games, social apps, e-commerce platforms, messaging apps, enterprise applications,… Its flexibility and wide range of services make it a popular choice for developers who want accelerate development of their applications, improving performance and user experience.
Firebase database security is too often underestimated: the results are dramatic
A group of researchers recently developed a script that searches for databases Firebase retrieved from millions of domain names.
By analyzing site data and, specifically, the content of file JavaScript Pulled from individual public web pages, the experts searched for common Firebase initialization variables using an automated approach.
The situation immediately seemed dramatic: many administrators unfortunately decided to take shortcuts, forgetting to implement safety rules adequate.
A tool like Firepwn helps verify the security rules of a Firebase application, focusing on aspects of authentication e authorization. Unfortunately, however, the tool created to identify and exploit vulnerabilities present in Firebase configurations (available as an open source product on GitHub) is evidently not used by many developers.
Firepwn uses Google services such as Firebase Auth, Firestore and Cloud Functions via the Client SDK to conduct safety tests in-depth. It also allows you to write custom JavaScript code, exposing any security gaps.
Vulnerabilities in apps using Firebase expose millions of personal data
A recent investigation highlighted how many instances of Firebase, publicly exposed online, put the privacy of millions of users. The researchers first developed a rudimentary script in Python and then refined it in Go, in order to speed it up and examine millions of domains looking for any vulnerability.
Always with the aim of improving performance, the technicians made use of a tool called Catalyst to automate the process of finding vulnerabilities in websites and specifically, in the JavaScript files used to invoke Firebase instances. Catalyst made it easier to identify access to Firebase databases by checking for the potential presence of sensitive data and personal information.
When Catalyst finds read access to a Firebase data collection, it attempts to independently evaluate the impact of thedata display by collecting a sample of 100 records, checking the type of information contained and extrapolating it accordingly. A bit out of provocation, the researchers therefore decided to make use of Supabase (direct open source rival of Firebase, which “under the hood” exploits PostgreSQL) to save and archive the “raked” data.
The scan results are shocking. The researchers identified further 125 million records user exposed: inside them, data such as clear passwordbilling information and other strictly personal evidence (for example names and surnames, email addresses and telephone numbers).
The same scholars note that the numbers may be underestimated, since the scan may not have detected many other equally “open” Firebase instances.
What happened after security issues related to the Firebase implementation were discovered
After discovering the issue, the team contacted the owners of the affected sites. However, only a small percentage of them responded and took appropriate countermeasures to resolve the vulnerabilities. Only 0.2% of website operators affected by “dangerous” Firebase configurations offered a reward for the responsible reporting of vulnerabilities.
The new discovery highlights the importance of correct configuration of security rules on platforms like Firebase. Although tools like Firepwn and Catalyst can help identify vulnerabilities, it is critical that developers adopt best practices to ensure the security of user data. Only through collaboration between researchers, developers and cloud service providers is it truly possible to effectively protect online privacy.
Where does the problem with using insecure Firebase configurations come from?
Firebase “security rules” are the mechanism that allows you to limit access to data in the database based on certain conditions. The rules are defined using a specific language and can be applied at the database or individual node level. This approach may be “new” for many developers.
Especially for real-time databases, Firebase security rules can appear difficult to write and understand. This is because they must take into account multiple factors, such as the type of user, data and permitted actions. The syntax to use can actually lead to errors in the definition of the rulescompromising data security.
While security rules may work well for small projects or a limited number of users, they may not be as effective when the volume of data or the number of users increases significantly. The rules must be adapted to the reading and writing operations in the database; excessive complexity or a large number of rules could slow down system performance.
While the concept of Firebase security rules may be sound and technically correct, there are several factors that can make their proper implementation and management difficult, leading to potential vulnerabilities.