简体繁体 English

Firebase 身份验证漏洞。 firebase中的未知用户

[英]Firebase authentication vulnerability. Unknown users in firebase

原文 2020-08-16 12:07:34 0 3 firebase/ firebase-authentication/ firebase-security

So I have an app where I have enabled google authentication in my firebase project.所以我有一个应用程序，我在我的 firebase 项目中启用了谷歌身份验证。 25 people I know were authenticated.我认识的 25 个人通过了身份验证。 When I logged in the backend I saw atleast some 80 entries with some weird sounding email addresses which should not be there.当我登录后端时，我至少看到了大约 80 个条目，其中包含一些听起来很奇怪的 email 地址，这些地址本不应该存在。 I had to delete all the entries manually, known and unknown ones (didn't needed any after sucessful testing).我不得不手动删除所有条目，已知的和未知的（在成功测试后不需要任何条目）。 Now that I want to go live, I am really concerned as to how unknown entires entered my firebase authentication records?既然我要go live，我真的很关心未知的整体是如何进入我的firebase认证记录的？

This has recently happened 'again' to another new app/project of mine.这最近“再次”发生在我的另一个新应用程序/项目上。 This time I disabled that unknown email address and took a screenshot (attached).这次我禁用了那个未知的 email 地址并截图（附后）。 I really really need to know and understand how safe is data on firestore.我真的真的需要知道并了解 Firestore 上的数据有多安全。 If someone can manage to 'hack' the Authentication part and add thir email to Authenticated list of users they may also be able to p.netrate the database somehow in future.如果有人可以设法“破解”身份验证部分并将他们的 email 添加到经过身份验证的用户列表中，他们将来也可以以某种方式 p.netrate 数据库。 Please help me in understanding what is happening?请帮助我了解发生了什么？

While researching on this, I could only find this similar question but the answer was just not enough explanation for me.在对此进行研究时，我只能找到类似的问题，但答案对我来说还不够解释。

Unknown user in my firebase user authentication (Flutter/firebase) 我的 firebase 用户身份验证中的未知用户 (Flutter/firebase)

3 个解决方案

firebaser here火力基地在这里

Since the configuration data for your project is embedded in the application that you send to your users, any user can take that configuration data and then start calling the API with it.由于您的项目的配置数据嵌入在您发送给用户的应用程序中，因此任何用户都可以获取该配置数据，然后开始使用它调用 API。 This is not a security risk, as long as you secure access to the data within your project correctly for your requirements.这不是安全风险，只要您根据您的要求正确地保护对项目中数据的访问。

See Is it safe to expose Firebase apiKey to the public?请参阅向公众公开 Firebase apiKey 是否安全？

What it means to correctly secure access to your data is hard to answer, as it depends completely on your use-case.正确保护对数据的访问意味着什么很难回答，因为它完全取决于您的用例。

For example: the content-owner only access security rules allow a user to enter data in the database, and then they can access the data they entered.例如：内容所有者只访问安全规则允许用户在数据库中输入数据，然后他们可以访问他们输入的数据。 With these rules there's no risk if anyone uses the API (and not your app) to do the same.有了这些规则，如果有人使用 API（而不是您的应用程序）来做同样的事情，就没有风险。 The security rules will ensure they only can access data they're authorized for, no matter what the source is the API calls is.安全规则将确保他们只能访问他们被授权的数据，无论 API 调用的来源是什么。

It may be related to the pre-launch report.这可能与发布前的报告有关。

https://support.google.com/googleplay/android-developer/answer/9842757?visit_id=637478112313064713-650300184&rd=1#signin https://support.google.com/googleplay/android-developer/answer/9842757?visit_id=637478112313064713-650300184&rd=1#signin

Step 1: Provide test account credentials if your app has a sign-in screen If your app has a sign-in screen and you want the crawler to test the sign-in process or the content behind it, you need to provide account credentials.第 1 步：如果您的应用有登录屏幕，请提供测试帐户凭据如果您的应用有登录屏幕，并且您希望爬虫测试登录过程或其背后的内容，您需要提供帐户凭据。 Note: You do not need to provide credentials if your app supports 'Sign in with Google', which enables the crawler to log in automatically.注意：如果您的应用支持“使用 Google 登录”，则您无需提供凭据，该功能可让爬虫自动登录。

So I guess it is safe.所以我想它是安全的。

The user willwhiteapple@gmail.com is the apple testing when your application is in the process of validation from apple before deploy to TestFlight.用户 willwhiteapple@gmail.com 是苹果测试，当您的应用程序在部署到 TestFlight 之前正在接受苹果的验证。