Firebase leaks datas (www.securityweek.com)

submitted 7 months ago* (last edited 7 months ago) by foremanguy92_@lemmy.ml to c/privacy@lemmy.ml

6 comments fedilink hide all child comments

Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn.

Once again do not use google based apps, degoogled yourself, and don't trust big companies, have a (de)goo(gle)d day!

top 6 comments

sorted by: hot top controversial new old

[-] Iapar@feddit.de 11 points 7 months ago* (last edited 7 months ago)

*have a degoogled day

Edit: love the edit!

[-] goosegooseboat@lemmy.world 9 points 7 months ago* (last edited 7 months ago)

The issue here isn't so much Google. Just people being stupid and not taking the time to learn how to secure something

[-] Rexios@lemm.ee 5 points 7 months ago

Seriously if you’re using Firebase already how the hell do you mess up auth? Firebase offers a free auth solution that’s pretty much a prerequisite to using any of the other services.

[-] otl@apubtest2.srcbeat.com 2 points 7 months ago

The issue here isn't so much Google. Just people being stupid and not taking the time to learn how to secure something

I'd argue there's poor design that could be patched here. From an article detailing the vulnerability (https://mrbruh.com/chattr/):

My hunch was that in the rush to push their new shiny product, someone would take a shortcut and forget to implement proper security rules.

The hunch was right, and it was worse than I could’ve ever guessed.

then later:

if you use Firebase’s registration feature to create a new user (you cannot register on their site), you get full privileges (read/write) to the Firebase DB.

That it's somehow faster or easier to (mis)configure a system such that you have full read/write is poor design. Secure by default, principles of least privilege; stuff that you want the implementers of the system to stick to so that when you're a user (restaurants), you don't need to think about this sort of thing.

Of course the restaurants are also at fault for putting people's personal info into yet another charlatan AI SaaS.

[-] possiblylinux127@lemmy.zip 4 points 7 months ago

So the "hack" was to just go an create a new admin account? Damn what have we come to

[-] foremanguy92_@lemmy.ml 1 points 7 months ago

😂

this post was submitted on 21 Mar 2024

65 points (93.3% liked)

Privacy

31609 readers

343 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS