0

First, I'd like to indroduce you one imagined situation:

I'm making a website. For that I'm creating first file: index.html. There i'd like to make a login/register script with Firebase access. I'm giving there email and password inputs and the submit button. Just simple. Now it's time to link them with firebase, so I'm pasting to the file JS snippet, creating createUserWithEmailAndPassword function and enambling Email/password Auth in Firebase console. Now it's time to make login panel. I'm creating same panel but with "Log in" button, creating signInWithEmailAndPassword function and onAuthStateChanged function in which i'm creating the "Getting from Database some information" function to display something for users.

Ok, website is published...

He's a hacker and he wants to destroy whole data from my poor Database, so he copies whole site's source code but he changes getting data function to deleting data function. He logs in with he's own email registered on my website and then activating the deleting function and whole my data is lost...

And finally these question: How to protect? Is this situation possible at all? If not - why not?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Hubert13888
  • 45
  • 5

2 Answers2

2

You protect against situations like this by implementing security rules inside of your database, you can learn about them at: https://firebase.google.com/docs/database/security/

The ones you should be interested the most are .write and .read which allow you to define rules for which users can access which parts of your data

linasmnew
  • 3,907
  • 2
  • 20
  • 33
1

The hacker cannot publish his site, cause he need to login to your email to execute firebase deploy command.

And with database rule ".write": "auth != null" the hacker can only delete his own data. You can read more detailed answer with database rule here

Faruk
  • 5,438
  • 3
  • 30
  • 46