Firebase storage: Security Rules, Token and Phishing Attack

[Mustafa Ekim]

Hello,

We have a web app where people can sign up for free, create and conduct exams. When a user uploads a file, we store it inside firebase storage bucket.

Unfortunately last week some people created accounts, uploaded contents and used these contents for their phishing attack. Then our bucket had been inaccessible for 3 days and that stopped our app from working.

How can we stop this? We cannot prevent people uploading files. And the token given by getDownloadURL() method makes the file accessible to anyone even though there are some security rules that requires authentication. (allow read, write: if request.auth!=null;)

You may almost the same question in the following link: https://stackoverflow.com/questions/56463264/firebase-storage-security-rules-and-download-tokens-for-uploaded-files

• "It seems to me that the security rule allow read: if request.auth != null; should have blocked any reads from unauthorized users, but with the TOKEN parameter, the file is accessible even for requests without an auth object "

Thanks

[Rachel Myers]

`if request.auth != null` only restricts access to a user with any UID. If you're using Anonymous Authentication, that will include anyone who uses your app. Even if you're using a more permanent Auth method, you still want to update the Security Rules to your specific app. For example, maybe I should only be able to read files that I created, and only be able to create files in a certain location, with a certain name.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/ed00f2d2-5348-4801-8c93-84240ff7ab9fn%40googlegroups.com.