Firebase Web + Analytics is fetching webConfig file insecurely

Question

I am using Firebase web + analytics and firebase makes an internal call that can be seen using DevTools in chrome. The call is to this url https://firebase.googleapis.com/v1alpha/projects/-/apps/1:XXXXX:web:XXXXX/webConfig and the response retrieves all firebase properties:

{
  "projectId": "XXXX",
  "appId": "XXXXX",
  "storageBucket": "XXXX.appspot.com",
  "locationId": "us-central",
  "authDomain": "XXXXX.firebaseapp.com",
  "messagingSenderId": "XXXXXXXX",
  "measurementId": "G-XXXXXXXX"
}

I think this is not secure because anybody could copy them and use it. I don't know if this is because Analytics or something has change in firebase web version 9. Does this happened to some of you?

I read the firebase documentation and trying configure build options but nothing happened because it is a rest call performed by firebase sdk.

EDIT: I have another application using firebase 6 for web (without analytics) and this version does not have this issue.

score 1 · Answer 1 · answered Oct 29 '22 at 13:51

1

This is the normal behavior of Firebase. Everything is shown to all. This does pose a security issue, but you can secure your app with Firebase Security Rules and with the new Firebase App Check.

answered Oct 29 '22 at 13:51

Samy Rahmani

320
1
7

Firebase Web + Analytics is fetching webConfig file insecurely

1 Answers1