125 Million Effected Accounts By FireBase Configuration

Подписаться 450 тыс.

Просмотров 102 тыс.

50% 1

Recorded live on twitch, GET IN
Article
env.fail/posts/firewreck-1/
By: mrbruh, xyzeva & logykk | env.fail/about
My Stream
/ theprimeagen
Best Way To Support Me
Become a backend engineer. Its my favorite site
boot.dev/?promo=PRIMEYT
This is also the best way to support me is to support yourself becoming a better backend engineer.
MY MAIN YT CHANNEL: Has well edited engineering videos
/ theprimeagen
Discord
/ discord
Have something for me to read or react to?: / theprimeagenreact
Kinesis Advantage 360: bit.ly/Prime-Kinesis
Hey I am sponsored by Turso, an edge database. I think they are pretty neet. Give them a try for free and if you want you can get a decent amount off (the free tier is the best (better than planetscale or any other))
turso.tech/deeznuts

Наука

Опубликовано:

1 май 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 217

@xiaoshen194 Месяц назад

U meant affected*

@NabekenProG87 Месяц назад

effect(users)

@trappedcat3615 Месяц назад

*You "U" is not a word. Also, you wrote a sentence without a period (big no no).

@FinahRS Месяц назад

@@trappedcat3615 Your first sentence in your comment doesn't have a period, lol.

@Dannnneh Месяц назад

@@trappedcat3615 You put the corrective asterisk on the wrong side of the "You". Also, you didn't hyphenate "no-no".

@NabekenProG87 Месяц назад

@@trappedcat3615 What about sentences with two periods..

@philunruh2368 Месяц назад

For those wondering, Firestore rejects all requests by default. You have to set up security rules to access data. You do have the option to run your database in test mode, where all data is publicly available. I’m guessing a good percentage of this data was exposed because the database was in test mode.

@juanmacias5922 Месяц назад

Exactly, and because the devs did not RTFM...

@soverain Месяц назад

In fact test mode is disabled automatically after 30 days. So it has to be deliberately set to public access after that period.

@mrnEight8 Месяц назад

@@soverainyeah, I was thinking the same…devs stay wondering why ITOPS and SecOPS give them crap about their dev and prod environments…here’s why..

@ericjbowman1708 29 дней назад

Doesn't matter. Passwords should never be saved as plain text, period.

@softwaredeveloper6791 29 дней назад

@@ericjbowman1708 If the password isn't stored as plain text in a txt document, then how will the logins work? I can't remember what day of the week it is, much less my password (currently it's P4ssw0rd)

@ericwadebrown Месяц назад

s/Effected/Affected

@RickYorgason 29 дней назад

Maybe 125 million accounts were created.

@omri9325 29 дней назад

The typos are intentional to make you comment and get the algorithm to boost it

@art0007i 29 дней назад

Reminds me of a video I saw recently ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-CzXJ0i4xABI.html

@ericwadebrown 29 дней назад

@@omri9325 That makes sense. He is a clown like that.

@EnterANameReal Месяц назад

My interpretation of the "do you have a girlfriend?" message - support person being customer-facing has *zero* idea what Firebase is - they get the message, and think it's a scammer trying to get them to do some exploit - they "play around" with the scammer and respond jokingly

@chindianajones3742 29 дней назад

Yes I've done this with scam text messages lol

@Leonhart_93 29 дней назад

Likely. And anyway, it's advantageous to try the guy to open up for free and 99% of them will be guys.

@HyperionStudiosDE 29 дней назад

or they are the scammer and just don't care that they're exposing data.

@daddy7860 28 дней назад

Or it was a scam organization's hired underpaid 14 year old Indonesian girl as customer support

@shaunkruger Месяц назад

The unencrypted passwords on the gambling site aren’t a bug, it’s probably a feature of the identity theft honeypot.

@user-in2cs1vp6o Месяц назад

Wouldn't the thief want it encrypted for themselves

@pianochess1882 29 дней назад

You generally don’t encrypt passwords, but you rather hash them

@cj.wijtmans 29 дней назад

@@pianochess1882 a hash is a one way encryption.

@caseykawamura8718 Месяц назад

This is funny, I remember setting up a firebase project while I was in school and thought it was really stressful having to teach myself how to be secure handling information. I thought about how there was tons of projects that probably aren't setup correctly and didn't do anything about it because I assumed I just had skill issues and everyone else knew how to be secure with their firebase setup. I never thought about it being considered a major vulnerability like this...

@caseykawamura8718 Месяц назад

Are there bounties for stuff like this where it's a documentation vulnerability?

@ValipPowa Месяц назад

it isn't a vulnerability lol the site owners quite literally ALLOW you to fetch from db they just didnt care about permissions

@caseykawamura8718 Месяц назад

@@ValipPowa I wouldn't have considered it a vulnerability either, but there are a lot of people just learning firebase and don't recognize that the doc sets default users to read/write. In a roundabout way this caused a lot of people to have their PII stolen. Is it google's fault? idk.. its a weird situation. It does look really bad on them though when so many of their users have this kind of problem from following THEIR instructions.

@ElclarkKuhu Месяц назад

@@caseykawamura8718 No, it's not r/w by default. Some people say you'll need to enable test mode to make it r/w and it's automatically disabled every 30 days, but i can't confirm it, i haven't use firebase in years

@RandomNoob1124 29 дней назад

Well that’s just a problem in software in general, people never think about security initially. It’s never a skill issue to think about security first, actually the opposite. If you think it was stressful in the beginning, it is dam near impossible when you already built your system and did not put one thought into security

@Ryan-in3ot Месяц назад

firebase sends me an email every four hours saying "any user can read your entire database" which is the entire point of my site. I know that's a separate issue from users exposing their auth keys but at least firebase cares a little

@TheBuddilla Месяц назад

Almost every Influencer "Just use third party services, it's inherently safer than rolling your own..." Doesn't matter what service you use or if you roll your own. A skill issue is a skill issue.

@user-gi4qu9do2v Месяц назад

In most cases password hash + salt approach is more safe for users and more convinient for devs (you can do awesome things when you define how auth works). To be honest, its not skill issue - sometimes doc for such services sucks. Its easy to setup, but there is no nuances and creators thoughts on whats happening and how its working.

@andythedishwasher1117 Месяц назад

I usually try to be safe by using a social provider and not touching a user's password with a ten foot pole. When I need to store their email or phone number or other PII, I set up a security rule on the Firestore collection that only allows clients logged in as the user to access that particular user's data, but no one else's. Firebase docs provide a pretty specific config for that exact use case.

@juanmacias5922 Месяц назад

There are way more skill issues when rolling out your own, than by just reading the documentation. Firebase plainly states that you need to set up the rules.

@TheBuddilla Месяц назад

@@juanmacias5922 Rolling your own has the same security concerns as getting vendor locked in a 3rd party system and I see no difference. I moved back to python, php and even c/cpp... JS/TS ecosystem is all messed up and just a big circle jerk of new shinny things and serverless venders being promoted by influencers... Not reading docs is a skill issue, I even struggle with it myself. At some point I'll port some things to rust...

@TheBuddilla Месяц назад

@@andythedishwasher1117 How hard is it to argon2 hash a password and then later compare it when a user logs in. Your basically just running an api key and off loading the login to a third party that has a bigger target on it's back. If your api keys gets compromised your users are exposed and you expose yourself to high fees when your api key is used for nefarious reasons. Also, if your third party provider goes down as most of them are on AWS which has an even bigger target on it's back your users are still screwed.

@duke605 Месяц назад

I wouldn't call this a vulnerability, i would call this a skill issue

@davesomeone4059 Месяц назад

Same thing

@duke605 29 дней назад

@@davesomeone4059 yes and no. Buffer overflow and memory vulnerabilities are technically skill issues. But I wouldn't put them on the same level as not setting up permissions for your database properly/at all

@edism 27 дней назад

No, configuration issues are the dev's fault @@davesomeone4059

@user-oj7uc8tw9r Месяц назад

We are going to have to talk to Fireship about this

@TheGkmasta Месяц назад

Used Firebase for a project several years ago. Setting up the DB auth rules was the most convoluted and meticulous thing I've ever had to do in software development. I can see how it could easily be screwed up. (I'm assuming the general method is still the same as it was back then.)

@adriankal 29 дней назад

It wasn't even remotely as hard as securing backend with sql db or mongo. Protecting against sql injection, ddos attacks etc is way harder than writing a few firebase rules.

@TheGkmasta 29 дней назад

@@adriankal Funny, those things seem easy to me. I guess we all have our different tolerances and blind spots in development. However, my application required way more than "a few" rules.

@martenkahr3365 Месяц назад

Interesting fact about casinos: a lot of the elderly folks you see in them don't really care about winning. They're there because it averages out to be cheaper than retirement home rates, and the first aid training of the security staff tends to be pretty good.

@snorman1911 Месяц назад

Are they sleeping in the casino?

@nikolaygruychev2504 29 дней назад

i see no sources in ur comment and this doesn't seem that plausible but imma take your word for it because its kinda funny

@cedricol 29 дней назад

@@nikolaygruychev2504 same. It's probably BS, but I will believe it because it's a good story.

@andythedishwasher1117 Месяц назад

I have to put some of this on Firebase for using a really confusing and relatively unique configuration syntax for security rules. However, it is pretty clearly documented at the moment. My guess is a lot of this is a relic of when it was NOT clearly documented. Probably a lot more of it is incompetent business owners and/or contractors who just blindly clicked default options in order to post up something quickly/impressively, possibly with the intention of reconfiguring it before pushing to prod, possibly ignoring the warnings entirely. Either way, this is a pretty massive blow to the platform's reputation.

@Dom-zy1qy Месяц назад

I wouldn't say firebase gives "zero warnings", but maybe i just don't know that they existed in my apps that used it. Specifically for firebase realtime, it's easy to misconfigure something, but I think they do let you know when you're configuring something that could lead to security vulnerabilities. I'd just assume most of these things would be discovered before going to prod.

@NuncNuncNuncNunc Месяц назад

User passwords store in plaintext - I think we put some of this down to skill issues. Good chance this is only the surface. How many sites allow unauthorized access to cloud functions. Just a simple example probably without any security concerns, but one of the sites has a simple function to get the server's unixtime. There's no need for it to be open and firestore can check that request come only from the site itself. How many POST requests behave the same way?

@Tw33ty271 Месяц назад

1 streamer effected by Flip's editing today 😅

@Jeremyak 29 дней назад

kudos to the 2 sites that offered bug bounties.

@kiwikemist Месяц назад

Doesn't firebase specifically have a mode for local hosting so you can test your security rules before putting them in production?

@intesoft-inc Месяц назад

Yes, and also a unit testing framework to test the rules with every scenario you can come up with. This is 100% a skill issue.

@kiwikemist 29 дней назад

@@intesoft-inc I thought as much

@edism Месяц назад

AFFECTED*

@edugar88 Месяц назад

Nice move Flip xD

@supermarinespitfire1 Месяц назад

'Affected' brah

@softwaredeveloper6791 29 дней назад

GCP is very loosey goosey with permissions. For example, creating a user in the cloud database gives them all the permissions. It's up to the concerned IT guy to then go into the database instance to limit the permissions.

@khanra17 25 дней назад

I have accessed so many firebases from years. But the meat is they were teachers on RU-vid who teach about development 😂. Many of them had write access

@robertm4934 Месяц назад

AFFECT*

@Destide Месяц назад

Theo going to be mad

@sidouglas 29 дней назад

Yup, Theo was first.

@jcmorin2007 29 дней назад

The fact 75% DIDN'T fix their database, would it be responsible to release the source of the script so that everyone can grab the data?

@jerrodc8019 29 дней назад

Prime, you know what you've done... I'm curious how much it will affect your numbers.

@human_shaped 29 дней назад

Affected

@eno88 Месяц назад

effected. verb. caused something to happen; brought about. affected. adjective. influenced or touched by an external factor.

@pseudocoder78 29 дней назад

Effected can also be used as an adjective but obviously that wasn't the intent here.

@Pollux70 29 дней назад

Prime is far more hyped up this episode.

@jonnyso1 Месяц назад

DUDE !

@seasn5553 Месяц назад

I got into my community colleges website that way lol. People will ALWAYS be a point of failure

@anonlegion9096 29 дней назад

10:40 is it possible they were looking for hard-coded API keys/high entropy secrets? I've seen shit like this in production far too many times for comfort.

@pianochess1882 29 дней назад

Is it really legal to store 125 million records of personal information in a private database, considering that data was only accidentally public?

@donf2944 Месяц назад

just giggling doorhandles. wow

@cedricol 29 дней назад

Frankly, that's hardly a Firebase issue, since it defaults to denying all requests, and you have to write rules to decide what's allowed, usually depending on logged-in user (eg. the logged in user can see his own profile record). And anything you'd read via the admin SDK, you wouldn't allow at all. Those "developers" either intentionally wrote in the config to allow all requests, or actively put it in test mode (used for development) every 30 days (since that mode expires after 30d), and ignore the regular warning emails that they get from the service. It's one of those cases where the tool does everything right to protect you, but you still go against it and all its warnings and open everything.

@davguev Месяц назад

Affected*

@pharoah327 29 дней назад

The fact that they were surprised at Python's poor handling of threads and memory makes me think they don't know Python. That's kind of common knowledge under things Python doesn't do well.

@greyroot00 29 дней назад

Firebase auth system does not store password in plaintext isn't it. You need to put effort to store password in plain text, it is closer to malicious than incompetence.

@MegaGorgot 29 дней назад

Im honestly glad that i decided to move to supabase as a solo developer. Its just horrible in so many ways.

@samiraperi467 Месяц назад

"We set to work scanning the entire internet for exposed PP uh PII" Is that a Freudian slip? 🤔

@BiHMaverick Месяц назад

there's PPI and PII, PPI - Protected Personal Information.

@AlecMaly Месяц назад

SaaS apps are insecure by design because it's easier for developers to get started. It's a business strategy, a fine line to walk between security and ease of use.

@JimAllen-Persona Месяц назад

Called it Catalyst.. the brand name of a Cisco appliance. Ironic.

@bohdanvinter6929 29 дней назад

...agen!

@mvs2403 Месяц назад

To be fair, I think there is some kind of warning, everyone just ignores it during development ans forget to change it and reset those security rules when publishing

@cedricol 29 дней назад

Makes you wonder whether you can use the skill issue of gambling websites against them, and tip the odds in your favour.

@DaVinc-hi7hd 29 дней назад

I think they must be putting all their efforts in getting the odds in their favor, so that might be hard.

@Nocare89 Месяц назад

You could just craft a google search for domains which include firebase sdk files or urls.

@NeuravnoveRS Месяц назад

I'm pretty sure that a python program with ~>1thread will start to chew up memory immediately. I'm not a python hater, it's a great tool for mathematicians(lol Julia dead lang) and other grad students in stem.

@LouisDuran Месяц назад

Just want to say: Affected

@DMWatchesYoutube Месяц назад

Bro you don't even need to be a hacker, just be a magpie and scrub the floor

@_GhostMiner 29 дней назад

**AFFECTED*

@bobwilkinsonguitar6142 Месяц назад

Thank god its not just me making horrible firebase rules. Cant figure out how to give my users the access they need, while prohibiting what they dont. Skill issue.

@britneyfreek Месяц назад

ever thought about not putting users data somewhere you can’t control?

@bobwilkinsonguitar6142 Месяц назад

@@britneyfreek I have zero users, and am developing for fun, should have specified that users=null

@bobwilkinsonguitar6142 Месяц назад

Still learning!

@comedyman4896 29 дней назад

"125 million accounts, 1 vulnerability" sounds like a porn title for robots

@spl45hz Месяц назад

This not even includes the common read all access if signed in...

@Fernando-ry5qt Месяц назад

Yeah, there is a really high change they gave * access to every collection and just filtered with the user id...... I've seen that before and makes me sad

@Nocare89 Месяц назад

Yeah, I think that's the default rule set lol. It is at least a common intro example which people probably often don't change.

@Fernando-ry5qt Месяц назад

@@Nocare89 Tbh it's been a long time so I don't remember, but I think you get a warning when trying to deploy the project if your rule set is default? yeah..... I had a LOT of troubles configuring that file years ago

@Nocare89 Месяц назад

@@Fernando-ry5qt If there is a warning it is just buried in terminal output. I think you get a warning in the console site if you have global read permissions but I'm not even confident with that one.

@crisdebug8675 Месяц назад

Not exactly a security risk, but there was a moment when I inadvertently made a infinite loop that was: 1. Making a lot of writes to Firestore 2. Spamming users with notifications Later I saw that it had >2B writes and 700 US$ of cost.

@DaVinc-hi7hd 29 дней назад

wow, you had to pay for that ? was it a personal project ?

@crisdebug8675 29 дней назад

@@DaVinc-hi7hd Nope and Nope. Fortunately, the company was like "Eh, that kind of thing happens, we'll cover this time. But make sure to test properly next time!*

@DaVinc-hi7hd 29 дней назад

@@crisdebug8675 oh, that's very kind of them !! how much time did it took for those >2B writes to complete/you to notice ?

@crisdebug8675 29 дней назад

@@DaVinc-hi7hd it was a couple of hours. I was going to check something on the firebase project, and saw the initial dashboard and thought "Wait a second, why Firestore has a 2B on it?"

@pauldraper1736 Месяц назад

*Affected

@AllenLantz Месяц назад

Only clicked on the video to say this

@pauldraper1736 Месяц назад

@@AllenLantz maybe it's intentional then 😂

@InternetKilledTV21 28 дней назад

RooBet, although RooBet publishes their starter seeds so maybe it's not the best example of degen unreg?

@SimonJackson13 Месяц назад

Sounds like client state not being server state checked.

@njnjhjh8918 29 дней назад

watched

@StephenMoreira Месяц назад

Misleading I feel like, it's more companies not caring about security, it's super obvious if firebase is allowing full access.

@user-kh3ub8hs4e Месяц назад

Yeah - if you started a project and you use client side queries - its open by default and emails you everyday after awhile to edit rules.

@StephenMoreira Месяц назад

@@user-kh3ub8hs4e God i forgot it does email you.

@amandasandell3351 Месяц назад

affected*

@DragoNate 29 дней назад

Shouldn't the title say "Affected", ser?

@GlimmerOfLight 29 дней назад

"Affected" .. please!

@bmc_ Месяц назад

SEESH

@ThomasWSmith-wm5xn Месяц назад

So much of this isn't firebases fault as much as - firebase is a very easy tool to use and attracts ... less skilled people.

@kucingoyen1 Месяц назад

Who in the world saving password as a plain text!?

@onclimber5067 Месяц назад

They should make their code public or host on a website so people clan check their own website for vulnerabilities

@JoshuaMoreno 29 дней назад

THERE IS A GODDAMN WIZARD WHEN YOU CREATE THE DB THAT HANDLES THIS none of the default options allow unauthorized access after 30 days of the db creation, any fully public access config is 100% responsibility of a lazy dev that probs should be fired, yes, skill issue if you select "test mode" it'll allow unauthed for 30 days "production mode" will only allow authed access

@sidthetech7623 Месяц назад

Lets talk about the 0% payout on some of these gambling websites.

@diegolikescode Месяц назад

Ligmed a lot of memory

@EllGeeLabs 29 дней назад

It's "affected", not "effected."

@Mempler Месяц назад

If you want something done right, do it yourself. except that if you do it yourself, your whole database is already on the internet

@wolfgangsanyer3544 29 дней назад

*affected

@MikePaixao 29 дней назад

I remember having to limit Python max threads because every pc in the office would fail at different max counts 😅 thanks windows.

@sampleshawn5380 Месяц назад

"should have been Rust" 😂

@TayambaMwanza Месяц назад

Bruh, firebase has auth, why store plain text passwords.

@DMWatchesYoutube Месяц назад

Python the only true thread ripper

@bearwolffish Месяц назад

The real skill issue is not having time to understand first hand, the 3rd party protocols we rely on.

@andythedishwasher1117 Месяц назад

How much you wanna bet Upwork is about to be flooded with requests for "Firebase experts"?

@apoorvaditya5265 29 дней назад

I just came here to say affected. Bye!

@pupu6oi74 28 дней назад

affected

@chris-pee 28 дней назад

That's the natural consequence of putting Row Level Security in the hands of ignorants. Or just people who don't care.

@DeviantFox 29 дней назад

Prime .. I'm disappointed .. it should have been, "I've never configured firebase, let alone misconfigured it"

@ccj2 Месяц назад

You don’t need to know anything about Firebase. Run very very far away

@britneyfreek Месяц назад

put all your privacy into the cloud and don’t ask questions they said.

@ripkm-iwaly 29 дней назад

anybody who says that is either dumb, sadistic or stands to profit from it somehow

@TehPwnerer 29 дней назад

Why wait for the thing to complete then go on with the next step obviously you'd have a bunch of data to work with along the way while this script was at work and then why would you manually go through anything when you just wrote a script to dump a bunch of stuff in a file for you to go over it makes no sense

@danielmajer1648 29 дней назад

They used multiprocessing not threading. They have copied the same process with different inputs 500 times. *Skill issue

@Jensemann099 Месяц назад

firebase, supabase.... sick of all this bullshit. Yeahhh I know, it scales so gooood for a superlarge start-up scenario. goosh wake up.

@covle9180 29 дней назад

Dumpster firebase

@fuyukaidesu1641 Месяц назад

>effected

@spartanace13 Месяц назад

Fifth

@thevortexATM Месяц назад

stupid things like this are going to lead to the forcing of a digital ID :(

@and_I_am_Life_the_fixer_of_all Месяц назад

nothing to hide, nothing to fear.. unless you are in a fucked up place I guess..

@petersuvara Месяц назад

Firebase security rules and their documentation are a horrendously poor way of managing the entire system. You cannot perform any regex in the rules themselves. It’s a disaster.

@Nocare89 Месяц назад

Incorrect, you have access to a weird google specific regex that's really hard to test a working version of outside of the rules engine itself. But it does work just fine. I would instead point to the lack of 'else' statements which really messes with a modern programmer. That and ternary conditions which evaluate all paths regardless of the designated winning path from the primary condition.

@petersuvara Месяц назад

@@Nocare89 I tried it to match user names, doesn’t work. We have no idea how to work around it atm and are looking at custom encryption.

@science_trip Месяц назад

loool and all these "ex-Googles" judging PHP and WordPress 🤣🤣🤣🤣🤣

@ahmadjames151 Месяц назад

You are a Muslim 😍

@Kane0123 Месяц назад

No one is properly appreciating just how blazingly fast low code solutions helped to make this. They would have been so slow to market with their insecure products have to write all the code and infra themselves. #EveryoneShouldCode