1

A hacker was able to create users in my client side based firebase site, I was restricting account creating by some sign up conditions on user's signup form data, I think he just injected signup code,

I immediately disabled authentication and removed the malicious accounts

If I used firebase cloud functions, will this hack still be able to create accounts, since firebase configuration was available to any client

are there any other actions ?

Update 4-9-2022 as temporary solution until using cloud functions, I made use of making conditions using

https://firebase.google.com/docs/database/security/rules-conditions if a user was created bypassing my logic I will make rules to disallow him from accessing certain paths

Amr Lotfy
  • 2,937
  • 5
  • 36
  • 56
  • according to this: https://firebase.google.com/support/guides/security-checklist «API keys for Firebase services are not secret. Firebase uses API keys only to identify your app's Firebase project to Firebase services, and not to control access to database or Cloud Storage data, which is done using Firebase Security Rules. For this reason, you do not need to treat API keys for Firebase services as secrets, and you can safely embed them in client code.» – GrafiCode Sep 03 '22 at 10:16
  • 1
    You can [disable signups](https://stackoverflow.com/a/68829085/13130697) directly from client SDK but that'll prevent everyone from doing so. How do you define a hacker? – Dharmaraj Sep 03 '22 at 13:06
  • 1
    @Dharmaraj I actually think this question is a duplicate of the one you linked. When/once Auth supports App Check that would also be good to mention in that answer. – Frank van Puffelen Sep 03 '22 at 13:17
  • accounts were flooding, timestamped emails, seems to be generated by code, about 100 account in few minutes @Dharmaraj – Amr Lotfy Sep 03 '22 at 13:31
  • 1
    Firebase does rate limit account creation from a single IP (default 100). As Frank mentioned, once [Firebase App Check](https://firebase.google.com/products/app-check) is available for Firebase Auth, this should reduce. Meanwhile you could [periodically delete users with unverified emails](https://stackoverflow.com/a/67150606) if you want to remove those accounts. You can also enable [user activity logging](https://console.firebase.google.com/u/0/project/_/authentication/settings) and maybe monitor the IPs from where you are getting these requests. – Dharmaraj Sep 03 '22 at 17:43

1 Answers1

0

If you didn't do this already. You could fix this by adding some email verifier functionality. Or maybe try adding a captcha

Also check out: https://firebase.google.com/docs/auth/web/email-link-auth

Blocking the user by IP-address is pretty useless, so I can't really come up with another solution.

One question that you could ask yourself is, What is the reason they are doing this? If it is nothing too serious you could just accept and delete all those accounts after the "hacker" stopped making accounts.

DJ Freeman
  • 399
  • 2
  • 14