You’re right, some folks don’t fully setup their security rules. We remind our developers to do this, but can -- and clearly need -- to do more. Your suggestion about requiring security rules is a good one. We’ll be going through our customers and providing more personalized feedback on their security rules in the coming days. Also, we are working on additional tutorials and examples to teach our devs how to use our security rules in an interactive way.
Thanks for pointing out some of the areas we can improve our examples. They’re intended to illustrate design patterns, not be robust production apps. Again, we can do better here, and the code we use as an example should be bullet proof.
Like any application, Firebase-powered apps are only as secure as the developers make them. If you do not control access with security rules, your app could be vulnerable. XSS attacks can affect Firebase apps like any other application.
Finally, we would have really liked you to provide responsible disclosure on the specific Firebases you found issue with and given us enough time to speak with those customers before taking this public.
So good news and bad news, bad news first: There doesn't appear to be a Firebase security contact page where you spell out how to get in touch with you if a researcher discovers something like this. Industry standard practice is, for better or worse, if you do not have that page then any available textarea is an acceptable method for communication with you about security vulnerabilities in your software.
The good news: you can trivially address this by adding one page in your CMS, calling it "Security", writing a few sentences of copy, and adding a) an email address which is monitored, b) a promise to write back, and c) (optional) a PGP key.
I hear you about "...Firebase-powered apps are only as secure as the developers make them..." but I guess, you should try to do your best in order to 'tunnel' developers into the best practices of validating input/output and not relying on the client to send 'safe' data. I know it's easy to say and hard to do :)
Nevertheless, it's a great goal to have.
Firebase's solution isn't difficult to configure, it's just more difficult when you contrast it with the simplicity and grace provided by the rest of their product.
My startup is addressing the usability mainly by acting as a proxy to a client's sensitive data storage, and providing a sane set of defaults for very specific applications.
This space is awesome, and so is Firebase - Client-side apps are incredibly attractive for MVP development - it's almost as slick a feeling as moving from PHP to Rails 10 years ago :)
Completely agree with the implications in this article. My experience in building a Firebase app was that it was easy to design the app's first cut, as long as security / privacy was not taken care of.
As soon as security / privacy / quota needs to be factored in, the whole model collapses. Security requires a lot of careful and complex design in the FireBase system. And it wasn't even possible to implement quotas the last I checked (couple of months back).
Given that the use case for Firebase is taking the place of your traditional server side architecture and storage, it seems kind of obvious that you would have to take heed of the security implications and set them up properly. The security concerns don't magically vanish just because you don't write the server side code.
Requiring Security Rules is a bad idea and would really stall the work flow in projects where you don't need them. I have one of those where I don't care if people manipulate the data via the console.
Anyway, the Firebase team should really address these security issues that keep coming up all the time.
Basically by disallowing read access to /users in the Firebase security rules (which you should do), the latter 50% of the article would be moot. However the html injection is interesting, be extra careful to validate data when using dynamic jquery-selectors?
This was something that really prevented me from pursuing Firebase as a real asset, despite its easy real time socket magic. If there's a diagram to "roll your own" after, though, it's probably moot (forums/ chat). Their json-rpc server has a really slick api and they've spent a lot of time on problems such as authentication and data security.
You could argue that moot is just a very well designed Firebase app as far as security permissions go, but at least it's proof that it's possible to rely entirely on pub/sub for your app and be fast, scalable, and successful.
You’re right, some folks don’t fully setup their security rules. We remind our developers to do this, but can -- and clearly need -- to do more. Your suggestion about requiring security rules is a good one. We’ll be going through our customers and providing more personalized feedback on their security rules in the coming days. Also, we are working on additional tutorials and examples to teach our devs how to use our security rules in an interactive way.
Thanks for pointing out some of the areas we can improve our examples. They’re intended to illustrate design patterns, not be robust production apps. Again, we can do better here, and the code we use as an example should be bullet proof.
Like any application, Firebase-powered apps are only as secure as the developers make them. If you do not control access with security rules, your app could be vulnerable. XSS attacks can affect Firebase apps like any other application.
Finally, we would have really liked you to provide responsible disclosure on the specific Firebases you found issue with and given us enough time to speak with those customers before taking this public.
We’ll reach out to you via email now.