3

I've got a small review system built in AngularJS and Firebase and the only way to identify which review is made by which user is via the uid of the user. The idea is when you then click on the user's name, you should be taken to the profile of that user.

So I would then create a route looking like /profile/{{review.author.uid}} which could translate into /profile/facebook:123234243 for example.

My question is, does it pose a security threat showing the uid in the url like this? Can it be used for any malicious actions against a user's third party account etc?

I've tried looking through their website but I can't find anything on this subject.

EDIT: Note that I need a Firebase specific answer, not a generic one about database id:s.

Chrillewoodz
  • 27,055
  • 21
  • 92
  • 175
  • 1
    possible duplicate of [Exposing database IDs - security risk?](http://stackoverflow.com/questions/396164/exposing-database-ids-security-risk) – Neil McGuigan Aug 22 '15 at 19:00
  • Try the search box first please – Neil McGuigan Aug 22 '15 at 19:01
  • @NeilMcGuigan Thanks for the link but it doesn't answer my question entirely since it's not related to Firebase. – Chrillewoodz Aug 22 '15 at 19:04
  • That answer is highly applicable to Firebase as well. Sequential, numeric IDs are predictable and have [other side effects in distributed data](https://www.firebase.com/docs/web/guide/understanding-data.html#section-arrays-in-firebase). Firebase push IDs are chronological, so still have a factor of predictability, but also [contain 72 bits of randomness](https://www.firebase.com/blog/2015-02-11-firebase-unique-identifiers.html), uuids are very strong. Firebase [auth uids are changing to a uuid](https://groups.google.com/forum/#!topic/firebase-talk/s9mv4S46Qs0) in the immediate future. – Kato Aug 24 '15 at 15:32

0 Answers0