Hacker News new | ask | show | jobs
by williamstein 2920 days ago
If the following quote from the article is true, it seems like Firebase is not making security easy for developers: "One of the most popular backend database technologies for mobile apps, Firebase does not secure user data by default. It does not warn developers when data is not secure and does not provide third-party encryption tools either. To ensure data is secure, app builders need to specifically implement user authentication on all database tables and rows, but that rarely happens,"
2 comments
com2kid 2920 days ago
Google shouts at you, about 500 times, to secure your Firebase instance. Tutorials are thrown at developers left and right, and the docs mention it again and again.

And the security system is super simple to implement. If the built in language is too hard, a simplified templating language is also provided.

The plaintext password thing just confuses me. One of Firebase's big draws is integration with their auth system. Why in the world is anyone storing passwords in Firebase? Unencrypted?

link
orev 2920 days ago
How many times do we need to go through issues like this before people realize that just yelling louder has no effect? Services like this should simply not function at all until basic things like a password are put in place.
link
com2kid 2920 days ago
> Services like this should simply not function at all until basic things like a password are put in place.

New Firebase instances starts off locked down by default, not allowing global reads or writes.

link
orev 2920 days ago
The fact that this was not the default since the inception of the service is inexcusable. Sadly, too many other projects still take the approach of yelling at people in some document somewhere instead of forcing security by default.
link
QML 2920 days ago
I’m guessing because most developers have no training in web security. Using Firebase as an authentication tool, you’re not supposed to have access to users passwords — unless you are specifically parsing for it and storing them into the database after account creation.
link
zwily 2920 days ago
Firebase used to be open by default, (to ease the dev experience, presumably), but sometime around the Google acquisition became private-by-default. It also warns you incessantly when your security rules are too open.

I suspect (hope?) most of the apps still using it insecurely came from before the acquisition by Google.

link