
Thousands of Mobile Apps Leak Data from Firebase Databases - auslander
https://www.securityweek.com/thousands-mobile-apps-leak-data-firebase-databases
======
lamlam
>The security issue, which the security firm refers to as the Firebase
vulnerability

IMO, calling the vulnerability the "Firebase vulnerability" makes it seem like
it's a problem on Firebase's side. But is it really their problem? At what
point do we start blaming the developers instead of the service?

~~~
williamstein
If the following quote from the article is true, it seems like Firebase is not
making security easy for developers: "One of the most popular backend database
technologies for mobile apps, Firebase does not secure user data by default.
It does not warn developers when data is not secure and does not provide
third-party encryption tools either. To ensure data is secure, app builders
need to specifically implement user authentication on all database tables and
rows, but that rarely happens,"

~~~
com2kid
Google shouts at you, about 500 times, to secure your Firebase instance.
Tutorials are thrown at developers left and right, and the docs mention it
again and again.

And the security system is super simple to implement. If the built in language
is too hard, a simplified templating language is also provided.

The plaintext password thing just confuses me. One of Firebase's big draws is
integration with their auth system. Why in the world is anyone storing
passwords in Firebase? Unencrypted?

~~~
orev
How many times do we need to go through issues like this before people realize
that just yelling louder has no effect? Services like this should simply not
function at all until basic things like a password are put in place.

~~~
com2kid
> Services like this should simply not function at all until basic things like
> a password are put in place.

New Firebase instances starts off locked down by default, not allowing global
reads or writes.

~~~
orev
The fact that this was not the default since the inception of the service is
inexcusable. Sadly, too many other projects still take the approach of yelling
at people in some document somewhere instead of forcing security by default.

------
stemuk
This reminds me of the old MongoDB 'issue' where MongoDB was accused of being
insecure because developers failed to secure their database instances
properly.

Aside from that, Firebase has learned from their pre-aquisition time and now
sets all new DB instances to locked.

