I'm currently running a project that uses Firebase Hosting and Firebase Functions. Both functions apparently use some cookies for their own reasons, but I can't seem to find a way to 'disable' them for my website visitors.
All around, I'm not very well informed on GDPR laws, but I'd like my webpage to comply with those, by giving users the chance to opt out of cookies.
Is there a way to disable those cookies? And if not, is it possible that they are already GDPR compliant?
Cheers.
The cookies used for Firebase are specifically for Authentication reasons only, Firebase doesn't track personal information or data but rather stores a randomized Javascript Web Token to re-authenticate a user when your app gets refreshed or reloaded.
Additional client-side data is used for caching the database to increase read performance but doesn't expose or track a user by any means either.
Related
In short: In GCP credentials can be restricted with application restriction and with API restriction, but Identity Toolkit API cannot be restricted on Expo mobile application.
-In web both restrictions work
-On android/iOS API restriction works but (as I have tested, correct me if I'm wrong) application restrictions does not
Now if using email/password authentication there is an issue.
There is a huge insecurity here as if anyone gets to know your API key (you define in initializeApp and so you connect to Firebase with and so use with Identity Toolkit API).
They can only by knowing that key call Firebase Auth REST API "Sign up with email / password" from anywhere and create users for your project!!
Am I wrong, missing something or can this be prevented somehow?
Things you can do to prevent this:
In "GCP>credentials>Identity Toolkit API" you can lower "Queries per minute" and "Queries per minute per user"
You can in "Firebase>Authentiction>Sign-in method>Manage sign-up quota" lower the quota from same IP address to minium (but does this help in case of android/iOS application?)
But there is no completely secure solution unless you can application restrict your API key as far as I know.
I got the following answer from Firebase support and since there has not been answers I will add this as correct answer for anyone looking solution for same thing or seeing this question.
First of all, I would like to thank you for choosing Firebase to
implement your application. I know that these kinds of situations
could be frustrating, let's work together to provide the best solution
for you.
I have checked your case and I would recommend that you reinforce your
Security Rules, because this is not a security risk, as long as you
secure access to the data within your project correctly for your
requirements, as it is mentioned in this external entry.
We don’t have a way to know the origin of those emails, even if they
were created by real users through your app, but if you identify fake
accounts you can use Cloud Functions to delete all emails registered
with that pattern using Auth triggers. Alternatively, you can delete
the accounts after an established time without activity using Schedule
Functions.
Additionally, if you don’t want to have users on your application, you
would probably need to use the Admin SDK and authenticate the
application by service account instead.
Context: I just got an email which I believe is spam from admin#typingchimp.com saying my auth users accounts can be stolen and asked if there are security bounties. I use firebase auth, and it should be easy to see that checking client side JS code. Although I think it's spam, it leads me to ask:
Are there any known security vulnerabilities or ideal security related settings for firebase auth? Perhaps an article or documentation beyond https://firebase.google.com/docs/rules/basics or https://firebase.google.com/docs/rules/rules-and-auth ?
PS: This is an auth-only question, but yes my Real-time DB restricts read access to the signed in user and doesn't allow write access. No other settings have been changed beyond this. My site uses SSL of course.
I know google limits individual IPs from making a bunch of failed login attempts and will block you temporarily.
I regularly get these types of emails (spam!) indicating that they have already found security flaws, or that they will, for a "finders fee". It is a marketing campaign trying to drum up sales activity.
Firebase Authentication has been designed and is in use by millions of apps. Hundreds of millions (or billions??) of accounts live in Firebase Auth. If there are vulnerabilities with the service, we will learn of it rapidly.
There is the potential that your particular use of Firebase Auth does not follow secure practices. For example, if you have your API keys checked into a publicly available code repository.
However if you follow the (fairly straightforward) "getting started" and recommendations docs from the Firebase team, odds are that your app is just fine.
So I have an app where I have enabled google authentication in my firebase project. 25 people I know were authenticated. When I logged in the backend I saw atleast some 80 entries with some weird sounding email addresses which should not be there. I had to delete all the entries manually, known and unknown ones (didn't needed any after sucessful testing). Now that I want to go live, I am really concerned as to how unknown entires entered my firebase authentication records?
This has recently happened 'again' to another new app/project of mine. This time I disabled that unknown email address and took a screenshot (attached).
I really really need to know and understand how safe is data on firestore. If someone can manage to 'hack' the Authentication part and add thir email to Authenticated list of users they may also be able to penetrate the database somehow in future. Please help me in understanding what is happening?
While researching on this, I could only find this similar question but the answer was just not enough explanation for me.
Unknown user in my firebase user authentication (Flutter/firebase)
firebaser here
Since the configuration data for your project is embedded in the application that you send to your users, any user can take that configuration data and then start calling the API with it. This is not a security risk, as long as you secure access to the data within your project correctly for your requirements.
See Is it safe to expose Firebase apiKey to the public?
What it means to correctly secure access to your data is hard to answer, as it depends completely on your use-case.
For example: the content-owner only access security rules allow a user to enter data in the database, and then they can access the data they entered. With these rules there's no risk if anyone uses the API (and not your app) to do the same. The security rules will ensure they only can access data they're authorized for, no matter what the source is the API calls is.
It may be related to the pre-launch report.
https://support.google.com/googleplay/android-developer/answer/9842757?visit_id=637478112313064713-650300184&rd=1#signin
Step 1: Provide test account credentials if your app has a sign-in screen
If your app has a sign-in screen and you want the crawler to test the sign-in process or the content behind it, you need to provide account credentials. Note: You do not need to provide credentials if your app supports 'Sign in with Google', which enables the crawler to log in automatically.
So I guess it is safe.
The user willwhiteapple#gmail.com is the apple testing when your application is in the process of validation from apple before deploy to TestFlight .
I need Hide the URL of an embedded video to prevent anyone from accessing the video outside of my domain.
What I want to use Firebase Storage for, is to store and stream the videos which ONLY paid users logged into my site can access.
Is there any way I can hide the URL so that people can only access the videos from within my web page in wordpress?
Thanks!
As Doug said in his comment, it is impossible to completely hide a download URL. There are complicated ways to obscure it, but I would recommend you avoid going down that rabbit hole - none are foolproof.
Instead, you should implement your security using Firebase Storage's built-in security rules - the situation you are describing is EXACTLY what this feature is designed to accomplish. You can put a rule in place that only users who have purchased the course (meaning, they have that video's identifier under their account in the database) are granted access... and you can even limit access to your project (see steps in answer #1) to specific domains.
There are a ton of great resources out there for you to reference while learning how the security rules work. First would be the docs I linked earlier, but they also have some pretty good official Firebase Youtube videos on the subject of rules.
If you are talking about having the videos stored in Firebase, hopefully you are planning to use the rest of Firebase's back-end features... because the ONE BIG ISSUE with this suggestion is that it relies on you using Firebase's built-in authentication. If your users are already logging into your site via an established non-Firebase system you've added to your Wordpress site, then I'm afraid this solution won't be so simple. Not impossible, but not as simple. If that's the case, you will need to pass the customer information to Firebase to login to a duplicated customer account, even if the end user doesn't realize they are being logged in to Firebase, and THEN they will have that special auth token that Firebase security uses to identify & grant access with the security rules.
While testing the security of one of our product, a web application, using the REST API of Firebase we got surprised when we realised that refresh-tokens never expire in the V3 of the Firebase implementation, allowing any refresh-token to create new tokens forever.
While local-storage seem a reasonably safe solution today, we are concerned by the possibility that it could fail tomorrow, even for a short amount of time, and that we cannot stop someone from using any of these refresh-tokens.
Two factor authentication will help mitigate the issue, but the first step would become compromised nonetheless.
Is there a way to blacklist tokens, or similar behaviour, with Firebase, without handling all tokens exchange, such as minting, ourselves? We could not find such feature when going through the doc.
Any advice appreciated.
Authentication sessions don't expire with Firebase login. But the ID token will have to be refreshed hourly, to keep access to the services. If you disable an account, refreshing the token will fail and the account won't be able to access services anymore. There is no way to invalidate individual tokens.
Firebase recently implemented revokeRefreshTokens() inside the admin sdk. Although this will not let you kill an invalid JWT, it does allow you to prevent a refresh of the token (from my testing so far at least) and it allows cleaner control flow inside firebase database.
See Admin Manage Sessions For rough examples