
I “found” the database of a college app (2018) - yoginth
https://yoginth.com/college-hack
======
servercobra
As far as I know, none of these keys (except the email/password) are
considered a secret. The real problem here is that they aren't using
Firebase/Firestore rules to correctly limit database access.

------
ggggtez
Visible key isn't the bug. The bug is that the app should not have read access
to other students.

~~~
anarchodev
Yep. Although this exact thing has happened to so many apps I’m beginning to
doubt the wisdom of this “allow completely open dev settings at first and then
YOU get to remember to fix it” model that fire base uses.

Maybe they could require an IP whitelist if the permissions aren’t set yet or
something.

~~~
rrix2
This is the cause of many mongodb and redis woes as well.

------
AlphaWeaver
What makes this even more sloppy for the school is that I know for a fact that
Firebase will send your admin account an email when it detects that you have
weak security settings on your database. It also sends said email repeatedly,
once per day.

I know because I intentionally have a developer db that is read access for the
whole world and I get that email every afternoon. The admin of this app either
is not competent enough to know what that email means, or is willfully
ignoring it.

~~~
mattlondon
Or registered on a "throw-away" gmail account created for this app that no one
is reading.

------
MRD85
The media would have a field day and say that he hacked his school database.
It's crazy how so many institutions are doing the digital equivalent of
leaving an unlocked car in a bad neighbourhood and no one holds them
accountable. Most people understand the concept of an unlocked car, not many
understand that he didn't do anything special to hack his school db. He just
strolled right in.

~~~
hjk05
> he didn't do anything special to hack...

Someone who snatched a purse out the hand of someone else isn’t “doing
anything special” either. The illegality doesn’t hinge on the difficulty of
the action. Why is that so hard to grasp for technical crowds?

If you find a car with the keys in the ignition and the door unlocked, you
won’t get away with driving it a block down the road by telling the judge:
“Oh, but it was obviously insecure, and I was just testing to see if I could
steal it”.

~~~
MRD85
The data that's available isn't the school, it's student data! The school left
the students "cars unlocked" and no one holds them accountable. They just say
that people shouldn't steal cars.

~~~
hjk05
They left the car unlocked in the same sense that your home is unlocked. With
the right tools, it’ll take me 5 minutes to gain entry. I could then claim
that it’s your own fault I gained entry because you don’t have a metal
enforced door, steel bars across windows, and a lock that can’t be easily or
Hardily picked...

Yes, someone technically minded with the right tools and access can break in.
But that’s less than 5% of the population, very similar to the percentage who
could easily pick even a complicated lock, but Of cause near 90% will be able
to take an ax to a door or kick in a window.

~~~
MRD85
Even with that house analogy, I'd argue that you shouldn't store large volumes
of other people's sensitive personal data in a house that has the bare minimum
security.

The issue is organisations being reckless with our data and then blaming
hackers when they lose it. It should be common sense that if you have
sensitive information then it needs an appropriate level of security but
someone companies have convinced everyone it's not their fault

------
throwaway527694
Did someone verify any of this?

If I recall correctly this `yoginth` is a known fraudster.

See:
[https://twitter.com/sindresorhus/status/1015873644377935874](https://twitter.com/sindresorhus/status/1015873644377935874)
or
[https://twitter.com/natfriedman/status/1059865722904440833](https://twitter.com/natfriedman/status/1059865722904440833)

~~~
yoginth
Hey, that is too old and I have done it without knowledge, it's my mistake and
I apologized for all of them personally and publicly!

Here this app belongs to my college, it's my attendance and work is mine!

~~~
surelyyoujest
You've built an entire online presence by copying everything from other
people's work - from your blog theme to your content "without knowing"?

Adorable.

Also, by briefly reading the docs on the "platform" you are trying to peddle,
I'm getting fairly certain you also copied that as well, as it is too well
written in comparison to the drivel on your blog.

~~~
jsty
In all fairness on that last point, if you're referring to his "Gitote"
project, the author has stated here [0] that it was a fork of Gogs, and seems
to have retained the proper copyright notices in the source files:

"// Copyright 2015 - Present, The Gogs Authors. All rights reserved. //
Copyright 2018 - Present, Gitote. All rights reserved." [1]

I agree it should probably have been given more prominent mention, but given
the number of commits doesn't seem (at quick glance) to be a hasty "fork and
rename".

[0]
[https://news.ycombinator.com/item?id=20137624](https://news.ycombinator.com/item?id=20137624)
[1]
[https://gitlab.com/gitote/gitote/blob/master/gitote.go](https://gitlab.com/gitote/gitote/blob/master/gitote.go)

~~~
yoginth
It was accepted by the founder itself
[https://twitter.com/jc_unknwon/status/1066713466524848128](https://twitter.com/jc_unknwon/status/1066713466524848128)

------
kazinator
A school that tracks attendance cannot be called a college or university.
Kindergarten, I can swallow.

~~~
stedaniels
I'm not sure if you are in the industry, but attendance tracking is high up on
most institutions lists of metrics to track. Aside from helping out the usual
back office data, it's often a key indicator for students who are in trouble.
The institution can then reach out and assist these students.

~~~
tastroder
They might just not be from the US. Here in Germany, tracking or forcing
student attendance is subject of large discussions and generally often frowned
upon (or forbidden by regulation) in the University setting these days.

~~~
stedaniels
This is mind boggling. Failing someone for missing one or two classes is
ludicrous, but giving someone a certificate who didn't engage with the course
is equally so. University education isn't about the destination/exam it's
about the journey.

~~~
malaxii
This is a common practice in Europe as I understand, not just Germany.

The thinking as I understand it goes along these lines: there are requirements
to get a degree (thesis, pass exams, score high enough in exercises), but the
university is primarily a center for learning and you are an adult, so how you
achieve the abilities to fulfill the requirements is your own business. If you
want to do things on your own, you are free to do so.

~~~
Fronzie
Also, it is seen as a test by itself: Are you capable to take your
responsibility and do your work?

This is a quite valuable lesson by itself. Most people need a few months to
learn it (partying is fun, but doesn't get you a degree), some don't and
indeed drop out.

------
aitchnyu
I had to code-review a Django app using Firebase as a DB and swore never
again. He did features and promised to do validation and security later by
going to their editor and writing Javascript files. Django lets him write
valid forms and correct SQL queries in almost same lines of code. Pagination
was a pain in current version and present only in a version forever in beta.
All the hard work coaching him on exceptions went out of the window.

An Android dev finally enlightened me where Firebase shines: offline sync of
mobile to a server by eliminating lots of explicit CRUD calls and error
handling.

------
bayareanative
An Australian autistic developer found a top university's custom
authentication database exposed to the internet in less than 10 minutes.
Please, no more DIY crypto or running unaudited services willy-nilly. :prayer-
emoji-here:

------
empath75
I’m not familiar with Firebase, but is it unusual for end users to have direct
access to a database at all? Why isn’t there a web front end there?

~~~
wildrhythms
Firebase has a "rules" feature where you set up security/authorization rules
on your database:

[https://firebase.google.com/docs/database/security#section-a...](https://firebase.google.com/docs/database/security#section-
authorization)

There's a "development" mode you can enable on your database that simply
ignores all of the rules. The college app either 1) has no/unsafe rules set
up, or 2) left their Firebase database in development mode.

------
sammnaser
Good spot, but be careful in the future in your approach. Some places will
nail you for having not stopped at the point where you unpacked the apk
resources and noticed the API keys. Downloading the credentials might not have
been the smartest move.

------
hyperthreading
Is there any way to hide keys from the extractions? I tried it before and
ended up to find that users can do that if they really want to.

~~~
yoginth
I think we can't hide keys up to my knowledge!

But make sure you just switched firebase to production mode.

In my case, the firebase was in development mode and the data is available
public!

[https://yoginth.com/college-hack#mitigations](https://yoginth.com/college-
hack#mitigations)

~~~
evolveyourmind
It’s not about keys or modes, it’s about the rules they didn’t set up.
Everyone uses firebase like that. Those “keys” are required to allow you to
connect to the correct firebase app, nothing more. You don’t get any direct
special permission to do things on the database or storage. Here some more
info about the rules:
[https://firebase.google.com/docs/database/security](https://firebase.google.com/docs/database/security)

------
zeristor
Isn’t this the opening to film Wargames?

Has Joshua asked you to play a game of global thermonuclear war yet?

------
mappu
Is Gitote a fork of Gogs/Gitea?

~~~
yoginth
It's a fork of Gogs!

------
z3t4
This seem to be the default on most G services.

------
noja
ITT everybody doing the same!

