|
|
|
|
|
|
by nonplus
865 days ago
|
|
|
I reported to Google that I could harvest firebase JWTs and keep them alive forever in a cloud function by refreshing the access tokens from a cloud function hosted on their own platform. The key issue in my eyes was there was no way to revoke the exfiltrated JWT. They closed the ticket as:
1) You had to compromise the frontend
2) We bought firebase within 120 days, so we won't bug bounty it. Completely ignoring that the authentication could not be rolled. That was the last time I tried to disclose or improve a google product.
I gave some talks about detecting the use of the same JWT across IP ranges, and using that as a litmus to revoke all user access until your application could contact the user. Anyway, that was all to say my personal experience is that Google does not care about solving security issues and will actively suppress them until they reach some level of critical mass. |
|
|