6

My app is in internal testing and has 2 testers. But the console shows up random user emails in the firestore auth console.

enter image description here

I need to know where do these emails come from

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
johnrao07
  • 6,690
  • 4
  • 32
  • 55
  • I don't have any more details to add. The random emails shows up after I roll-out update in the internal test track – johnrao07 Oct 04 '20 at 12:00
  • This seems to be issue which may require further investigation from a support representative, and may require the handling of personal information. This may be a security issue or a possible internal issue and would require further investigation from the Firebase support team. I would recommend submitting a inquiry with the [Firebase Support](https://firebase.google.com/support/troubleshooter/contact) team in order to appropriately investigate this issue. – KevinH Oct 07 '20 at 00:14
  • Did you disclose your Firebase apiKey to some potentially malicious users? While it is not a security thread to disclose it (see https://stackoverflow.com/a/37484053/3371862) you need to know that someone with your project apiKey can very easily create as many users as they want in your Authentication service, e.g. by using the Auth REST API. See https://firebase.google.com/docs/reference/rest/auth#section-create-email-password. Note also that it is not very difficult to reverse engineer your app to find the apiKey. For example with a SPA web app it’s a matter of seconds. – Renaud Tarnec Oct 07 '20 at 02:21
  • @RenaudTarnec I can confirm that the random emails show up right after I rollout the internal test. There is no way to use the app and data with the google auth, I think it can be testing emails from google play dev team? – johnrao07 Oct 07 '20 at 21:16
  • @KevinH I will reach out to the support team in a few days if I don't get any answers here – johnrao07 Oct 07 '20 at 21:17
  • these are the people who check your app before approval in google play console. it happens in my app as well everytime i publish a new release i see a new account pop up. you could add test account crenetials in you play console. – Harkal Oct 10 '20 at 22:20
  • @johnrao07 Did you achieve to understand where these emails come from? I have the same problem. dozens of emails all formatted like this: johndoe.12345@gmail.com. I suspect that this comes from a sort of automated testing from the play store. But I'd like to confirm it. – BbL Sep 04 '21 at 20:52
  • This was a surprise to me too. I had just implemented Google auth, published to internal testing only, and then three random accounts popped in. Any answers come up? – jbryanh Feb 21 '22 at 22:44
  • Happened to me too. Very creepy. – Abushawish Apr 25 '22 at 05:01
  • Same problem here, since I added google sign in, there are popping up new random accounts. Any one an Idea? – MrOrhan Oct 03 '22 at 03:42
  • Same issue here and I can confirm that these random users did not log in via my app: when authenticating via my app for the first time, my app creates a user data record in firebase. All these random users are missing this data record. So they login another way, but not via my app. Also: I have email/paswword provider and Google provider enabled, all random users are Google users. – Niels Dec 02 '22 at 14:56

1 Answers1

0

I suspect these are Google Play Store test users.

I've just done a controlled test and seen accounts appear shortly after publishing a new internal test version.

The following article from Google https://support.google.com/googleplay/android-developer/answer/9842757?hl=en-GB mentions automatic install and crawl of your app in the "How the pre-launch report works" section

A solution is indicated on this question if you wish to avoid random users Google test users on Firebase auth

Legs2142
  • 1
  • 2
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 07 '23 at 05:01
  • Not sure this is correct. I can see in the pre-launch report screenshots, that Google is signing in with `some_account@cloudtestlabaccounts.com`. So that still does not explain the `@gmail.com` accounts. – levi Apr 26 '23 at 00:54
  • They use two types of accounts. One @cloudtestlabaccounts.com and one which is [SomeName].[SomeNumber]@gmail.com I typically see one of the first type and around 20 of the second type each test I submit. The fact that the Gmail accounts have a very specific email structure make them easier to spot. – Legs2142 Apr 27 '23 at 12:34