2

This might be a dumb question, but I couldn't find an answer anywhere.

Since all you need to modify a database is the Firebase reference URL, what's stopping me from correctly guessing or finding another Firebase's reference URL (a database that doesn't belong to me) and then deleting all of their data? If you have an open sourced app with a Firebase ref in it--now anybody could potentially delete everything. I see there are rules for the database--but I still don't see how that could be used to safeguard the data.

  • 1
    I haven't looked too deeply into myself, but did you check these [docs](https://www.firebase.com/docs/security/guide/)? – But I'm Not A Wrapper Class Apr 01 '16 at 15:36
  • 1
    Yep. From my understanding, in an example of having users stored on Firebase, the rules prevent users from deleting other user's data. But if I cloned someone's repo with their Firebase references--I see nothing stopping me from running code that wipes the entire database. –  Apr 01 '16 at 15:39

1 Answers1

1

If you know the URL, there is nothing preventing you from modifying another Firebase that does not have it's rules set up.

See Understanding Security

Which is why it's critical that you put rules in place to safeguard your data.

Here's a quick way to ensure that only users that are authenticated can read and write to your apps node

{
  "rules": {
        ".read" : "auth !== null",
        ".write" : "auth !== null"
  }
}
Jay
  • 34,438
  • 18
  • 52
  • 81