Hacker News new | comments | show | ask | jobs | submit login

As this project is using Firebase, despite it using randomized keys (which makes it seem like something vaguely "secure", in that other people probably would be unable to guess the key of your document and start messing with you or reading what you wrote), it is trivial to iterate and find all of the other documents people are editing by dumping the database.

To demonstrate, open up a JavaScript Console (such as the Chrome inspector or something; I assume this won't be problematic in other browsers, but it does involve a callback to an anonymous function typed into the console, and I don't do much JavaScript to know if that will cause some weird protected scope error in some browsers) and plug in the following:

    new Firebase(Socrates.firebaseUrl).once('value', function(snapshot) {
        var val = snapshot.val();
        for (var i in val.documents) {
            var doc = val.documents[i];
            console.log(doc.id + ': ' + doc.title + '\n' + doc.body);
The output will be the identifiers, titles, and contents of every document in the database (including one which seems to be the developers of Socrates.io trying to come up with a way to charge for people using the beta, including examinations of which payment processor to use, etc.; I'm now quite curious if they realized that was public... it's not bad or anything).

hey, one of the authors here. We did realize this. This is a weekend hackathon project to allow the hacker news community to write nice clean markdown.

Firebase offers security, but we just didn't get around to using yet.

You shouldn't choose to use it for sensitive information, but for Github readmes and other already public content, it's a great tool.


Ok, when I was last talking to them[1], they did not have anything at all for security but a vague idea that it was important and a possible "would something like this work?" that was more about securing the API than the data ;P. Their FAQ still states they are working on it, but maybe they have something more in-depth now for the beta users (such as yourselves)?

[1] https://twitter.com/Firebase/status/190954896764305408

The pretty sane and "simple" (easy to implement on the server, but difficult for developers to use correctly) way of doing it is something like StackMob or Parse's ACL feature (but even that tends to be misused, and as soon as data can be shared between users is almost impossible to get right without using custom server-side logic, which these kinds of companies are now supporting).

(FTR, I try to hit on these things pretty hard, as I'm highly concerned that these online middleware companies are short-changing the importance of security in the cloud, if not often in their implementations then almost always in their documentation and tutorials. I gave a talk at 360|iDev this year discussing solutions like StackMob and Parse, doing live demos of ripping keys out of apps and dumping their databases.)

(One of the apps I ran into--which I did not demo dumping data from during that talk ;P, although I did show a totally anonymized snippet of the kind of data it was storing--was an online dating matchup app that was storing all of its offline Facebook full-access auth tokens trivially accessible in StackMob, along with all of the "private" messages sent between the users... all of this despite the app supporting nicknames for "anonymity" and listing "security" as one of its defining features :(.)

(Firebase, to their extreme credit, is very honest about the fact that your data is all public: it is the very first question in their FAQ, and they state the situation 100% clearly and entirely outright. "However, it’s not ready for widespread use yet, so right now all data in Firebase is publicly accessible. Please keep this in mind when building apps!" <- emphasis is thankfully theirs, not mine ;P)


(Firebase Founder here)

Saurik - We're glad that there are people like you searching for holes in services like Firebase. Hopefully it'll keep making all of us better. Please keep doing it.

As ivolo noted, we do have a security feature set we're testing. It has taken a little while to build something that is both functional and usable. We're pretty confident we've got something that our users will love.

Excited to show you soon!


Applications are open for YC Summer 2016

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact