1

Here's a theoretical scenario: hackers get their hands on a firebase admin key. Now - all the database is open to them. Is there a way to:

  1. Get an alert from Google that someone is using / trying to use the admin access? (Kind of like we get an alert when someone signs into our Gmail account from an unknown device)
  2. Have a 2-steps authentication, such that no admin key alone can access the db?
  3. Are there any other best practices to ensure our users' privacy on firebase other than the 'rules' of course?

I just feel very uncomfortable with a single 'door' to all the database. (even worst: that door may have multiple valid keys...)

Ronen Rabinovici
  • 8,680
  • 5
  • 34
  • 46
  • What do you mean by firebase admin key? Is it the API key or the service account's private key on the server side? This [community answer](https://stackoverflow.com/a/37484053/12857703) makes some great considerations on regards of the security of Firebase in general with the use of rules and API keys. – Ralemos Jan 22 '21 at 11:19
  • Thanks @Rafael Lemos. Here’s the admin I’m talking about: https://firebase.google.com/docs/admin/setup#initialize-sdk – Ronen Rabinovici Jan 23 '21 at 17:12
  • can you give more details of your use app's implementation? meaning is it an app engine hosted app that access Firestore, or multiple cloud functions, maybe on-premises? All of that will differ for security considerations. – Ralemos Jan 27 '21 at 16:04
  • Thank you. It's a general question on what seems to me an inherent vulnerability having a single 'password' to access all db with admin api permissions. It's not app specific. – Ronen Rabinovici Jan 28 '21 at 09:42
  • I was hoping there are some defence mechanisms by Google. Though, I could not find them... – Ronen Rabinovici Jan 28 '21 at 09:43

1 Answers1

1

You could use Secret Manager to store sensitive information such as the key you are mentioning.

The 2 options you suggested do not exist, as that key will likely be used by background services that will occur automatically, so a 2-step authentication or an alert does not make a lot of sense in that case.

Depending on the product you will be accessing the Firestore from there are other ways to make this more secure, but by then it's a product specific inquiry.

Ralemos
  • 5,571
  • 2
  • 9
  • 18
  • Thank you. Are there ways to limit server access to the firestore db to specific IPs? Then, I can authorize our server IP, and our dev IP. – Ronen Rabinovici Jan 29 '21 at 10:33
  • 1
    unfortunately this is not possible, as you can see in this [community answer](https://stackoverflow.com/a/58647852/12857703) – Ralemos Jan 29 '21 at 11:02
  • Too bad :( Seems like a relatively easy solution for a complex issue with magnificent implications. Can we ask google to add that feature? Of course it can be implemented by us on our side - by having 2 servers etc. But - firebase's whole idea is to offload our dev work. – Ronen Rabinovici Jan 29 '21 at 11:38
  • Just to emphasize - I am specifically referring to admin ip limit, not any data request. – Ronen Rabinovici Jan 29 '21 at 11:40
  • 1
    Yes, you can open a feature request for that in Google's [issue tracker](https://issuetracker.google.com/issues/new?component=530136&template=0) – Ralemos Jan 29 '21 at 13:51