security issue regarding firebase database
211 views
Skip to first unread message
Sébastien Andrieu
Apr 1, 2022, 11:20:10 AM4/1/22
to Firebase Google Group
Hi all,
we have an isssue regarding our database. We receive a message from google indicating all users connected can read and write the content of our database.
here the message send by google :
[Firebase] Votre base de données Realtime Database "" présente des règles non sécurisées
Nous avons détecté
les problèmes suivants au niveau de vos règles de sécurité :
- N'importe quel utilisateur connecté peut lire l'intégralité de votre base de données.
- N'importe quel utilisateur connecté peut écrire sur votre base de données.
Si vous ne définissez pas des règles de sécurité strictes, toute personne disposant de l'adresse de votre base de données peut la consulter et y écrire des données. Vos données étant vulnérables, des pirates informatiques peuvent les voler, les modifier ou les supprimer, ainsi qu'effectuer des opérations qui peuvent vous coûter cher."
We don't know how to fix it.
The users have not access directly to the database.
The user have an account (mail / password ) on our app (android and apple), the apps exchange data with database.
Thanks
Philippe
Tracy Hall
Apr 1, 2022, 12:41:20 PM4/1/22
to Firebase Google Group
Security Rules are meant to protect your database from malicious apps and users. RTDB has no idea whether it's your app or someone else's accessing the data directly - it can only verify that IF YOU SET SECURITY RULES; it just knows that, as you have it set up, anyone COULD access it.
The purpose of the security is to authenticate your users/user instance of the app, and use that authentication to protect your data.
As you have it now, if I know the name of your database, I could write my own app and completely destroy your data.
Set Security Rules. Use Authentication. Protect your Data.
Tracy Hall
LeadDreamer
Sébastien Andrieu
Apr 4, 2022, 6:00:29 PM4/4/22
to Firebase Google Group
Hello, thanks for your response.
We use google authenfication for our apps, but actually the users of our back end didn't use google authentification but another type of authentification.
The only solution is to use google authenfication. I don't have other choices, is it right ?
Regards,
Philippe
Tracy Hall
Apr 4, 2022, 6:45:25 PM4/4/22
to Firebase Google Group
*IF* you app uses firebase authentication, then *all* your security rules need to do is check if their authentication exists at all - only allow authenticated users access, even if it is *all* access. I would *not* recommend all-access, since it can allow application bugs to damage your database, but then I try to thing of all the things that can go *wrong*, rather than what happens if everything works *right*.
If your back-end is itself in an authenticated environment, such as Firebase Cloud Functions, then they generally don't need further authentication - they are *already* protected.
There are a number of authentication options for the *client*/*application* side - which is where your security & stability concerns should be.
I don't know the format of security rules in RTDB, but in Firebase Firestore the *minimum* should be:
```
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid;
}
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid;
}
}
}
```
This would allow read, write if the user is authenticated. Any other client-side access would be refused.
These rules do *not* apply to backend code running in an authenticated environment.
Most functional security rule sets are quite a bit longer than this; mine is 400 lines long.
Tracy Hall
Sébastien Andrieu
Apr 5, 2022, 7:05:17 PM4/5/22
to Firebase Google Group
Hi,
I complete my previous post :
For our apps and back end users , we use anonymous authentification method,
and now my rule for firestore is :
-----------------------------------------------------------------------------------
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
}
}
}
---------------------------------------------------------------------------------
is it correct ?
Like you can see, I'm not an expert ...
I appreciate very much your help.
Regards
Philippe
Tracy Hall
Apr 6, 2022, 4:02:34 PM4/6/22
to Firebase Google Group
That will *function*, but could still leave your data vulnerable to malicious or accidental damage by anonymous users. Is your backend in Google Firebase? Cloud Functions and such run in a privileged environment which bypasses security altogether.
In my system, as an example, I do have anonymous users - who have *read only* access to a *limited* selection of data. Even fully logged in authenticated users have quite a FEW limits on their access. ANY "dangerous" of broader access is always executed by the secure back-end.
You will *really* save yourself a lot of problems if you anticipate data integrity *now*
Tracy Hall
LeadDreamer
Reply all
Reply to author
Forward
0 new messages