125 Million Effected Accounts By FireBase Configuration
Рет қаралды 103,178
Ай бұрынRecorded live on twitch, GET IN
Article
env.fail/posts/firewreck-1/
By: mrbruh, xyzeva & logykk | env.fail/about
My Stream
/ theprimeagen
Best Way To Support Me
Become a backend engineer. Its my favorite site
boot.dev/?promo=PRIMEYT
This is also the best way to support me is to support yourself becoming a better backend engineer.
MY MAIN YT CHANNEL: Has well edited engineering videos
/ theprimeagen
Discord
/ discord
Have something for me to read or react to?: / theprimeagenreact
Kinesis Advantage 360: bit.ly/Prime-Kinesis
Hey I am sponsored by Turso, an edge database. I think they are pretty neet. Give them a try for free and if you want you can get a decent amount off (the free tier is the best (better than planetscale or any other))
turso.tech/deeznuts
@xiaoshen194 Ай бұрын
U meant affected*
@NabekenProG87 Ай бұрын
effect(users)
@trappedcat3615 Ай бұрын
*You "U" is not a word. Also, you wrote a sentence without a period (big no no).
@FinahRS Ай бұрын
@@trappedcat3615 Your first sentence in your comment doesn't have a period, lol.
@Dannnneh Ай бұрын
@@trappedcat3615 You put the corrective asterisk on the wrong side of the "You". Also, you didn't hyphenate "no-no".
@NabekenProG87 Ай бұрын
@@trappedcat3615 What about sentences with two periods..
@philunruh2368 Ай бұрын
For those wondering, Firestore rejects all requests by default. You have to set up security rules to access data. You do have the option to run your database in test mode, where all data is publicly available. I’m guessing a good percentage of this data was exposed because the database was in test mode.
@juanmacias5922 Ай бұрын
Exactly, and because the devs did not RTFM...
@soverain Ай бұрын
In fact test mode is disabled automatically after 30 days. So it has to be deliberately set to public access after that period.
@mrnEight8 Ай бұрын
@@soverainyeah, I was thinking the same…devs stay wondering why ITOPS and SecOPS give them crap about their dev and prod environments…here’s why..
@ericjbowman1708 Ай бұрын
Doesn't matter. Passwords should never be saved as plain text, period.
@softwaredeveloper6791 Ай бұрын
@@ericjbowman1708 If the password isn't stored as plain text in a txt document, then how will the logins work? I can't remember what day of the week it is, much less my password (currently it's P4ssw0rd)
@ericwadebrown Ай бұрын
s/Effected/Affected
@RickYorgason Ай бұрын
Maybe 125 million accounts were created.
@omri9325 Ай бұрын
The typos are intentional to make you comment and get the algorithm to boost it
@art0007i Ай бұрын
Reminds me of a video I saw recently kzfaq.info/get/bejne/eeCIfZOamd6lcn0.html
@ericwadebrown Ай бұрын
@@omri9325 That makes sense. He is a clown like that.
@EnterANameReal Ай бұрын
My interpretation of the "do you have a girlfriend?" message - support person being customer-facing has *zero* idea what Firebase is - they get the message, and think it's a scammer trying to get them to do some exploit - they "play around" with the scammer and respond jokingly
@chindianajones3742 Ай бұрын
Yes I've done this with scam text messages lol
@Leonhart_93 Ай бұрын
Likely. And anyway, it's advantageous to try the guy to open up for free and 99% of them will be guys.
@HyperionStudiosDE Ай бұрын
or they are the scammer and just don't care that they're exposing data.
@daddy7860 Ай бұрын
Or it was a scam organization's hired underpaid 14 year old Indonesian girl as customer support
@shaunkruger Ай бұрын
The unencrypted passwords on the gambling site aren’t a bug, it’s probably a feature of the identity theft honeypot.
@user-in2cs1vp6o Ай бұрын
Wouldn't the thief want it encrypted for themselves
@pianochess1882 Ай бұрын
You generally don’t encrypt passwords, but you rather hash them
@ChrisWijtmans Ай бұрын
@@pianochess1882 a hash is a one way encryption.
@caseykawamura8718 Ай бұрын
This is funny, I remember setting up a firebase project while I was in school and thought it was really stressful having to teach myself how to be secure handling information. I thought about how there was tons of projects that probably aren't setup correctly and didn't do anything about it because I assumed I just had skill issues and everyone else knew how to be secure with their firebase setup. I never thought about it being considered a major vulnerability like this...
@caseykawamura8718 Ай бұрын
Are there bounties for stuff like this where it's a documentation vulnerability?
@ValipPowa Ай бұрын
it isn't a vulnerability lol the site owners quite literally ALLOW you to fetch from db they just didnt care about permissions
@caseykawamura8718 Ай бұрын
@@ValipPowa I wouldn't have considered it a vulnerability either, but there are a lot of people just learning firebase and don't recognize that the doc sets default users to read/write. In a roundabout way this caused a lot of people to have their PII stolen. Is it google's fault? idk.. its a weird situation. It does look really bad on them though when so many of their users have this kind of problem from following THEIR instructions.
@ElclarkKuhu Ай бұрын
@@caseykawamura8718 No, it's not r/w by default. Some people say you'll need to enable test mode to make it r/w and it's automatically disabled every 30 days, but i can't confirm it, i haven't use firebase in years
@RandomNoob1124 Ай бұрын
Well that’s just a problem in software in general, people never think about security initially. It’s never a skill issue to think about security first, actually the opposite. If you think it was stressful in the beginning, it is dam near impossible when you already built your system and did not put one thought into security
@Ryan-in3ot Ай бұрын
firebase sends me an email every four hours saying "any user can read your entire database" which is the entire point of my site. I know that's a separate issue from users exposing their auth keys but at least firebase cares a little
@TheBuddilla Ай бұрын
Almost every Influencer "Just use third party services, it's inherently safer than rolling your own..." Doesn't matter what service you use or if you roll your own. A skill issue is a skill issue.
@user-gi4qu9do2v Ай бұрын
In most cases password hash + salt approach is more safe for users and more convinient for devs (you can do awesome things when you define how auth works). To be honest, its not skill issue - sometimes doc for such services sucks. Its easy to setup, but there is no nuances and creators thoughts on whats happening and how its working.
@andythedishwasher1117 Ай бұрын
I usually try to be safe by using a social provider and not touching a user's password with a ten foot pole. When I need to store their email or phone number or other PII, I set up a security rule on the Firestore collection that only allows clients logged in as the user to access that particular user's data, but no one else's. Firebase docs provide a pretty specific config for that exact use case.
@juanmacias5922 Ай бұрын
There are way more skill issues when rolling out your own, than by just reading the documentation. Firebase plainly states that you need to set up the rules.
@TheBuddilla Ай бұрын
@@juanmacias5922 Rolling your own has the same security concerns as getting vendor locked in a 3rd party system and I see no difference. I moved back to python, php and even c/cpp... JS/TS ecosystem is all messed up and just a big circle jerk of new shinny things and serverless venders being promoted by influencers... Not reading docs is a skill issue, I even struggle with it myself. At some point I'll port some things to rust...
@TheBuddilla Ай бұрын
@@andythedishwasher1117 How hard is it to argon2 hash a password and then later compare it when a user logs in. Your basically just running an api key and off loading the login to a third party that has a bigger target on it's back. If your api keys gets compromised your users are exposed and you expose yourself to high fees when your api key is used for nefarious reasons. Also, if your third party provider goes down as most of them are on AWS which has an even bigger target on it's back your users are still screwed.
@duke605 Ай бұрын
I wouldn't call this a vulnerability, i would call this a skill issue
@davesomeone4059 Ай бұрын
Same thing
@duke605 Ай бұрын
@@davesomeone4059 yes and no. Buffer overflow and memory vulnerabilities are technically skill issues. But I wouldn't put them on the same level as not setting up permissions for your database properly/at all
@edism Ай бұрын
No, configuration issues are the dev's fault @@davesomeone4059
@martenkahr3365 Ай бұрын
Interesting fact about casinos: a lot of the elderly folks you see in them don't really care about winning. They're there because it averages out to be cheaper than retirement home rates, and the first aid training of the security staff tends to be pretty good.
@snorman1911 Ай бұрын
Are they sleeping in the casino?
@nikolaygruychev2504 Ай бұрын
i see no sources in ur comment and this doesn't seem that plausible but imma take your word for it because its kinda funny
@cedricol Ай бұрын
@@nikolaygruychev2504 same. It's probably BS, but I will believe it because it's a good story.
@user-oj7uc8tw9r Ай бұрын
We are going to have to talk to Fireship about this
@TheGkmasta Ай бұрын
Used Firebase for a project several years ago. Setting up the DB auth rules was the most convoluted and meticulous thing I've ever had to do in software development. I can see how it could easily be screwed up. (I'm assuming the general method is still the same as it was back then.)
@adriankal Ай бұрын
It wasn't even remotely as hard as securing backend with sql db or mongo. Protecting against sql injection, ddos attacks etc is way harder than writing a few firebase rules.
@TheGkmasta Ай бұрын
@@adriankal Funny, those things seem easy to me. I guess we all have our different tolerances and blind spots in development. However, my application required way more than "a few" rules.
@andythedishwasher1117 Ай бұрын
I have to put some of this on Firebase for using a really confusing and relatively unique configuration syntax for security rules. However, it is pretty clearly documented at the moment. My guess is a lot of this is a relic of when it was NOT clearly documented. Probably a lot more of it is incompetent business owners and/or contractors who just blindly clicked default options in order to post up something quickly/impressively, possibly with the intention of reconfiguring it before pushing to prod, possibly ignoring the warnings entirely. Either way, this is a pretty massive blow to the platform's reputation.
@Dom-zy1qy Ай бұрын
I wouldn't say firebase gives "zero warnings", but maybe i just don't know that they existed in my apps that used it. Specifically for firebase realtime, it's easy to misconfigure something, but I think they do let you know when you're configuring something that could lead to security vulnerabilities. I'd just assume most of these things would be discovered before going to prod.
@edism Ай бұрын
AFFECTED*
@Tw33ty271 Ай бұрын
1 streamer effected by Flip's editing today 😅
@Jeremyak Ай бұрын
kudos to the 2 sites that offered bug bounties.
@NuncNuncNuncNunc Ай бұрын
User passwords store in plaintext - I think we put some of this down to skill issues. Good chance this is only the surface. How many sites allow unauthorized access to cloud functions. Just a simple example probably without any security concerns, but one of the sites has a simple function to get the server's unixtime. There's no need for it to be open and firestore can check that request come only from the site itself. How many POST requests behave the same way?
@edugar88 Ай бұрын
Nice move Flip xD
@robertm4934 Ай бұрын
AFFECT*
@softwaredeveloper6791 Ай бұрын
GCP is very loosey goosey with permissions. For example, creating a user in the cloud database gives them all the permissions. It's up to the concerned IT guy to then go into the database instance to limit the permissions.
@kiwikemist Ай бұрын
Doesn't firebase specifically have a mode for local hosting so you can test your security rules before putting them in production?
@intesoft-inc Ай бұрын
Yes, and also a unit testing framework to test the rules with every scenario you can come up with. This is 100% a skill issue.
@kiwikemist Ай бұрын
@@intesoft-inc I thought as much
@khanra17 Ай бұрын
I have accessed so many firebases from years. But the meat is they were teachers on KZfaq who teach about development 😂. Many of them had write access
@Pollux70 Ай бұрын
Prime is far more hyped up this episode.
@supermarinespitfire1 Ай бұрын
'Affected' brah
@eno88 Ай бұрын
effected. verb. caused something to happen; brought about. affected. adjective. influenced or touched by an external factor.
@pseudocoder78 Ай бұрын
Effected can also be used as an adjective but obviously that wasn't the intent here.
@human_shaped Ай бұрын
Affected
@seasn5553 Ай бұрын
I got into my community colleges website that way lol. People will ALWAYS be a point of failure
@jerrodc8019 Ай бұрын
Prime, you know what you've done... I'm curious how much it will affect your numbers.
@Destide Ай бұрын
Theo going to be mad
@sidouglas Ай бұрын
Yup, Theo was first.
@donf2944 Ай бұрын
just giggling doorhandles. wow
@JimAllen-Persona Ай бұрын
Called it Catalyst.. the brand name of a Cisco appliance. Ironic.
@jonnyso1 Ай бұрын
DUDE !
@Nocare89 Ай бұрын
You could just craft a google search for domains which include firebase sdk files or urls.
@_GhostMiner Ай бұрын
**AFFECTED*
@bohdanvinter6929 Ай бұрын
...agen!
@pharoah327 Ай бұрын
The fact that they were surprised at Python's poor handling of threads and memory makes me think they don't know Python. That's kind of common knowledge under things Python doesn't do well.
@davguev Ай бұрын
Affected*
@samiraperi467 Ай бұрын
"We set to work scanning the entire internet for exposed PP uh PII" Is that a Freudian slip? 🤔
@BiHMaverick Ай бұрын
there's PPI and PII, PPI - Protected Personal Information.
@bmc_ Ай бұрын
SEESH
@anonlegion9096 Ай бұрын
10:40 is it possible they were looking for hard-coded API keys/high entropy secrets? I've seen shit like this in production far too many times for comfort.
@MegaGorgot Ай бұрын
Im honestly glad that i decided to move to supabase as a solo developer. Its just horrible in so many ways.
@AlecMaly Ай бұрын
SaaS apps are insecure by design because it's easier for developers to get started. It's a business strategy, a fine line to walk between security and ease of use.
@mvs2403 Ай бұрын
To be fair, I think there is some kind of warning, everyone just ignores it during development ans forget to change it and reset those security rules when publishing
@crisdebug8675 Ай бұрын
Not exactly a security risk, but there was a moment when I inadvertently made a infinite loop that was: 1. Making a lot of writes to Firestore 2. Spamming users with notifications Later I saw that it had >2B writes and 700 US$ of cost.
@DaVinc-hi7hd Ай бұрын
wow, you had to pay for that ? was it a personal project ?
@crisdebug8675 Ай бұрын
@@DaVinc-hi7hd Nope and Nope. Fortunately, the company was like "Eh, that kind of thing happens, we'll cover this time. But make sure to test properly next time!*
@DaVinc-hi7hd Ай бұрын
@@crisdebug8675 oh, that's very kind of them !! how much time did it took for those >2B writes to complete/you to notice ?
@crisdebug8675 Ай бұрын
@@DaVinc-hi7hd it was a couple of hours. I was going to check something on the firebase project, and saw the initial dashboard and thought "Wait a second, why Firestore has a 2B on it?"
@LouisDuran Ай бұрын
Just want to say: Affected
@njnjhjh8918 Ай бұрын
watched
@DMWatchesYoutube Ай бұрын
Bro you don't even need to be a hacker, just be a magpie and scrub the floor
@amandasandell3351 Ай бұрын
affected*
@cedricol Ай бұрын
Frankly, that's hardly a Firebase issue, since it defaults to denying all requests, and you have to write rules to decide what's allowed, usually depending on logged-in user (eg. the logged in user can see his own profile record). And anything you'd read via the admin SDK, you wouldn't allow at all. Those "developers" either intentionally wrote in the config to allow all requests, or actively put it in test mode (used for development) every 30 days (since that mode expires after 30d), and ignore the regular warning emails that they get from the service. It's one of those cases where the tool does everything right to protect you, but you still go against it and all its warnings and open everything.
@jcmorin2007 Ай бұрын
The fact 75% DIDN'T fix their database, would it be responsible to release the source of the script so that everyone can grab the data?
@greyroot00 Ай бұрын
Firebase auth system does not store password in plaintext isn't it. You need to put effort to store password in plain text, it is closer to malicious than incompetence.
@SimonJackson13 Ай бұрын
Sounds like client state not being server state checked.
@NeuravnoveRS Ай бұрын
I'm pretty sure that a python program with ~>1thread will start to chew up memory immediately. I'm not a python hater, it's a great tool for mathematicians(lol Julia dead lang) and other grad students in stem.
@cedricol Ай бұрын
Makes you wonder whether you can use the skill issue of gambling websites against them, and tip the odds in your favour.
@DaVinc-hi7hd Ай бұрын
I think they must be putting all their efforts in getting the odds in their favor, so that might be hard.
@onclimber5067 Ай бұрын
They should make their code public or host on a website so people clan check their own website for vulnerabilities
@spl45hz Ай бұрын
This not even includes the common read all access if signed in...
@Fernando-ry5qt Ай бұрын
Yeah, there is a really high change they gave * access to every collection and just filtered with the user id...... I've seen that before and makes me sad
@Nocare89 Ай бұрын
Yeah, I think that's the default rule set lol. It is at least a common intro example which people probably often don't change.
@Fernando-ry5qt Ай бұрын
@@Nocare89 Tbh it's been a long time so I don't remember, but I think you get a warning when trying to deploy the project if your rule set is default? yeah..... I had a LOT of troubles configuring that file years ago
@Nocare89 Ай бұрын
@@Fernando-ry5qt If there is a warning it is just buried in terminal output. I think you get a warning in the console site if you have global read permissions but I'm not even confident with that one.
@GlimmerOfLight Ай бұрын
"Affected" .. please!
@bobwilkinsonguitar6142 Ай бұрын
Thank god its not just me making horrible firebase rules. Cant figure out how to give my users the access they need, while prohibiting what they dont. Skill issue.
@britneyfreek Ай бұрын
ever thought about not putting users data somewhere you can’t control?
@bobwilkinsonguitar6142 Ай бұрын
@@britneyfreek I have zero users, and am developing for fun, should have specified that users=null
@bobwilkinsonguitar6142 Ай бұрын
Still learning!
@kucingoyen1 Ай бұрын
Who in the world saving password as a plain text!?
@comedyman4896 Ай бұрын
"125 million accounts, 1 vulnerability" sounds like a porn title for robots
@Mempler Ай бұрын
If you want something done right, do it yourself. except that if you do it yourself, your whole database is already on the internet
@pianochess1882 Ай бұрын
Is it really legal to store 125 million records of personal information in a private database, considering that data was only accidentally public?
@DragoNate Ай бұрын
Shouldn't the title say "Affected", ser?
@MikePaixao Ай бұрын
I remember having to limit Python max threads because every pc in the office would fail at different max counts 😅 thanks windows.
@StephenMoreira Ай бұрын
Misleading I feel like, it's more companies not caring about security, it's super obvious if firebase is allowing full access.
@user-kh3ub8hs4e Ай бұрын
Yeah - if you started a project and you use client side queries - its open by default and emails you everyday after awhile to edit rules.
@StephenMoreira Ай бұрын
@@user-kh3ub8hs4e God i forgot it does email you.
@InternetKilledTV21 Ай бұрын
RooBet, although RooBet publishes their starter seeds so maybe it's not the best example of degen unreg?
@bearwolffish Ай бұрын
The real skill issue is not having time to understand first hand, the 3rd party protocols we rely on.
@diegolikescode Ай бұрын
Ligmed a lot of memory
@sidthetech7623 Ай бұрын
Lets talk about the 0% payout on some of these gambling websites.
@ThomasWSmith-wm5xn Ай бұрын
So much of this isn't firebases fault as much as - firebase is a very easy tool to use and attracts ... less skilled people.
@pauldraper1736 Ай бұрын
*Affected
@AllenLantz Ай бұрын
Only clicked on the video to say this
@pauldraper1736 Ай бұрын
@@AllenLantz maybe it's intentional then 😂
@AlanThomas1 Ай бұрын
*affected
@sampleshawn5380 Ай бұрын
"should have been Rust" 😂
@DMWatchesYoutube Ай бұрын
Python the only true thread ripper
@JoshuaMoreno Ай бұрын
THERE IS A GODDAMN WIZARD WHEN YOU CREATE THE DB THAT HANDLES THIS none of the default options allow unauthorized access after 30 days of the db creation, any fully public access config is 100% responsibility of a lazy dev that probs should be fired, yes, skill issue if you select "test mode" it'll allow unauthed for 30 days "production mode" will only allow authed access
@andythedishwasher1117 Ай бұрын
How much you wanna bet Upwork is about to be flooded with requests for "Firebase experts"?
@EllGeeLabs Ай бұрын
It's "affected", not "effected."
@TayambaMwanza Ай бұрын
Bruh, firebase has auth, why store plain text passwords.
@britneyfreek Ай бұрын
put all your privacy into the cloud and don’t ask questions they said.
@ripkm-iwaly Ай бұрын
anybody who says that is either dumb, sadistic or stands to profit from it somehow
@pupu6oi74 Ай бұрын
affected
@apoorvaditya5265 Ай бұрын
I just came here to say affected. Bye!
@chris-pee Ай бұрын
That's the natural consequence of putting Row Level Security in the hands of ignorants. Or just people who don't care.
@DeviantFox Ай бұрын
Prime .. I'm disappointed .. it should have been, "I've never configured firebase, let alone misconfigured it"
@ccj2 Ай бұрын
You don’t need to know anything about Firebase. Run very very far away
@danielmajer1648 Ай бұрын
They used multiprocessing not threading. They have copied the same process with different inputs 500 times. *Skill issue
@TehPwnerer Ай бұрын
Why wait for the thing to complete then go on with the next step obviously you'd have a bunch of data to work with along the way while this script was at work and then why would you manually go through anything when you just wrote a script to dump a bunch of stuff in a file for you to go over it makes no sense
@Jensemann099 Ай бұрын
firebase, supabase.... sick of all this bullshit. Yeahhh I know, it scales so gooood for a superlarge start-up scenario. goosh wake up.
@thevortexATM Ай бұрын
stupid things like this are going to lead to the forcing of a digital ID :(
@and_I_am_Life_the_fixer_of_all Ай бұрын
nothing to hide, nothing to fear.. unless you are in a fucked up place I guess..
@fuyukaidesu1641 Ай бұрын
>effected
@petersuvara Ай бұрын
Firebase security rules and their documentation are a horrendously poor way of managing the entire system. You cannot perform any regex in the rules themselves. It’s a disaster.
@Nocare89 Ай бұрын
Incorrect, you have access to a weird google specific regex that's really hard to test a working version of outside of the rules engine itself. But it does work just fine. I would instead point to the lack of 'else' statements which really messes with a modern programmer. That and ternary conditions which evaluate all paths regardless of the designated winning path from the primary condition.
@petersuvara Ай бұрын
@@Nocare89 I tried it to match user names, doesn’t work. We have no idea how to work around it atm and are looking at custom encryption.
@spartanace13 Ай бұрын
Fifth
@covle9180 Ай бұрын
Dumpster firebase
@ahmadjames151 Ай бұрын
You are a Muslim 😍
@dirty-kebab Ай бұрын
Damn, now my SATAN stack won't work
@science_trip Ай бұрын
loool and all these "ex-Googles" judging PHP and WordPress 🤣🤣🤣🤣🤣
@Kane0123 Ай бұрын
No one is properly appreciating just how blazingly fast low code solutions helped to make this. They would have been so slow to market with their insecure products have to write all the code and infra themselves. #EveryoneShouldCode
@poderosoexcalibur-yp3kl Ай бұрын
i hate firebase
@asdanjer Ай бұрын
U have a critical issue! All your customer data is exposed! Ok so we have a slot open in 2 sprints...
@deadbeef576 Ай бұрын
Not so prime grammar/spelling. Its affected, not effected.
Marusya Outdoors
Рет қаралды 254 МЛН