stackoom
  简体   繁体   中英

Cons of letting unauthenticated users access database in FIrebase?

 原文  2017-09-28 19:14:45       android/ firebase/ authentication

Question

What are the cons of setting security rules of Firebase database such that unauthenticated users could also access the database ? In what ways can the database be attacked?

2 answers

solution1
 1 ACCPTED  2017-09-28 19:18:23

By default all firebase databases are accessible via the id of the project:

For example:
you could browse the Database from any computer using the project id: ' https://[PROJECT_ID].firebaseio.com/.json ' (GET request)

we could also make POST PATCH And DELETE Requests to your database and clear it out! 

curl -X POST -d '{"myData" : "in", "your" : "Database!"}' \
  'https://[PROJECT_ID].firebaseio.com/yourHacked.json'

If you have security rules in place, this functionality will still work if you send Auth tokens with the requests. (So it becomes safer with every security rule you add).

With security rules you can make sure that only the data owner can edit Or read it: 

{
  "rules": {
    "Notes": {
      "$userId": {
        // grant read/write permission to the owner of this note
        // whose uid must exactly match the key ($user_id)
        ".write": "$userId === auth.uid", 
        ".read": "$userId === auth.uid"
      }
    }
  }
}


Attackers May use your database as their own causing you a lot a traffic, data corruption / Mining, Money (Usage Quotas).

See the following reference for more info:
https://firebase.google.com/docs/reference/rest/database/

solution2
 1  2017-09-28 19:35:35

The first thing that comes to my mind is that a user can flood your database with data or read until you run out of free quota (if you just use the free plan). I would call that some sort of denial-of-service (DoS) attack.

Obviously if you pay for it and don't specify any maximum cost limits then it might get costly for you. I've not paid for Firebase so far and don't know if you can set cost limits. Anyway your service/app would be down.

In case your app allows one's user data to be overwritten by another user that would be another bad thing but that gets more into a badly designed app. Whereas the previous attack vector could not be entirely avoided when eg you run a email subscription service on a website to get potential customers. You would need some other security measures against a DoS attack.

I don't think it can get a lot worse :)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to restrict users access to database in firebase firestore? Connect users and Firebase Database Firebase Database query users in a loop Storing users information in Firebase Database Firebase RealTime-Database for Users Users are added to Firebase Auth but not Firebase Realtime Database Firebase Database - Set rules for users in the database Unauthenticated access is not supported for this identity pool Firebase rules, limiting access to only participating users Android firebase access for all app users
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM