Re: [Firebase] Question re: security and localhost and oauth

[Jacob Wenger]

Hey Richard,

Let's say malicious user A wants to steal good user B's data from your app which uses our OAuth login. Malicious user A could theoretically spin up a localhost version of your app and be able to authenticate to your app to access their own data. However, in order for them to steal any of good user B's data, they would need good user B to authenticate to their locally hosted version of your app. This means good user B would have to log in on malicious user's A computer. That is a very unlikely situation and not really one you need to be concerned with. Note that localhost is enabled as a redirect origin for development purposes.

Jacob

On Wed, Aug 19, 2015 at 11:33 AM, Richard Renshaw <rhre...@gmail.com> wrote:

I've been fooling around with Firebase and I have to admit it's pretty cool.  One thing I'm curious about though, since everything is front-end what's to prevent someone from scraping the site and running it on their own localhost?  I'm referring to a site using oauth.  Obviously it won't run if it's loaded on another domain that hasn't been whitelisted, but on a PC/MAC running an http server it will work just fine and if they authenticate with oauth they have full access (or whatever level sign in gives) to the DB.  

It doesn't appear that localhost can be removed as an authorized source and people much smarter than me designed Firebase security, so what am I missing?

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/06cd1ea7-c91a-4d29-989a-5a7bf369906f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Richard Renshaw]

I don't understand how that applies unless security in the database is granular down a specific user/node.  If had a database for our favourite app, the ToDo list, and authentication meant read/write access to the 'table' then they would have full access from their computer.  It's the same access that they'd get from the app's native domain, but they could write their own app do anything they wanted - maybe an app to wipe the DB at random intervals or some such thing.  As far as I can tell, there's no way to limit access to a DB to a specific domain.  Unless, again, I'm missing something.

[Jacob Wenger]

Hi Richard,

You can write Security Rules to determine who can and cannot access the data in your Firebase database. You can write rules to prevent erasing your entire database. Being able to authenticate from localhost has nothing to do with this though. A user could theoretically just take an auth token generated by using Firebase Authentication from your actual app and then copy it to a version of your app they created somewhere else and the token would still work. The token is used just for identification / authentication. It has no access associated with it and it is a different kind of token from an access token you would get from Facebook directly. Your Security Rules are the things that grant access. As far as your example is concerned though, a user could do just as much harm from curl as they could from a localhost version of your app if you don't have proper Security Rules in place.

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/f00f3665-e907-4de4-a489-7e2d3c3e38eb%40googlegroups.com.

[Richard Renshaw]

I'm just used to dealing with databases which accept connections only from localhost and where localhost is the server.  In the case of Firebase, 'localhost' can be any PC in the world.  I suppose a security rule that specifies a specific source IP address would be the equivalent.  It's a different way of thinking that I'm still wrapping my head around.

[Jacob Wenger]

You cannot specify Security Rules based on IP and in most cases you don't have to. One of the nice things about Firebase is that you can easily read your database from anywhere but it is also something which can get you in some trouble if you don't create Security Rules. I would suggest reading our Security Rules guide and you'll know how to protect your data in no time.

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/600bb750-1f4c-4296-a8f1-108c52e27711%40googlegroups.com.