1

I'm starting to look at Firestore's database rules and I was wondering: can a user execute an unwanted request using an "hacked" app? I mean, on my app the scope of the user is fairly limited so he can't do damage to the database, but with the same app "hacked", is it possible to use the user token to execute unwanted requests?

My question maybe not clear but to make it simple: can a user of my app execute a request that I didn't wrote into my code?

Thanks

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
Crazyman60
  • 119
  • 1
  • 8

1 Answers1

1

Can a user of my app execute a request that I didn't wrote into my code?

The answer is yes.

Anyone that can get your Firebase config elements could write a simple HTML page using the JavaScript SDK and try to interact with your Firestore backend. Note that it is not difficult to get your Firebase config elements, see this answer.

Or, much easier, a user can just use the Firestore REST API.

So, the conclusion is that you do need to secure your data with appropriate Security Rules.

Renaud Tarnec
  • 79,263
  • 10
  • 95
  • 121
  • Thanks for your quick answer, I was not aware that it was easy to get the Firebase config elements and your example with the HTML page + Javascript SDK made it clear. Just to add a layer of "security" (or just to discourage the less persistent), do you know a way to "hide" Firebase Config elements? I'm using Javascript SDK with VueJS + Flutter's Firebase SDK. Thanks again :) – Crazyman60 May 19 '20 at 10:05
  • And, based on your answer, it's simple for an "hacker" to make your bill expensive, no? I mean, let's say I've a collection of 10K documents, the hacker could easily do a loop that retrieve this collection without any query limit and it'd have as a consequence to artificially explode the read counter, am I right? – Crazyman60 May 19 '20 at 10:09
  • "do you know a way to "hide" Firebase Config elements?" -> No, see https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public/37484053#37484053 – Renaud Tarnec May 19 '20 at 10:10
  • "Let's say I've a collection of 10K documents, the hacker could easily do a loop that retrieve this collection" -> It depends on the access rights. If your security rules allow everyone to read from or write to Firestore, one malicious user could indeed generate a lot of requests. Firebase/Goggle Cloud monitors the services for DOS or similar attacks, you should contact the [support](https://firebase.google.com/support/troubleshooter/contact) for more info. – Renaud Tarnec May 19 '20 at 10:20
  • Unfortunately yes, one a specific collection I need people to be able to read it (no need for writes as they are done with AdminSDK + Cloud Functions to prevent abuses) and I can't use Cloud Functions as they're way too slow on cold starts. I'll contact them. Thanks again for those precious informations. – Crazyman60 May 19 '20 at 11:08
  • 1
    Hi, sorry forgot to do it :) Done + accepted as answer, thanks again. – Crazyman60 May 20 '20 at 16:46