Misconfigured Firebase Instances Expose 125 Million User Records
www.securityweek.com
A weakness in a Firebase implementation allowed researchers to gain access to names, phone numbers, email addresses, plaintext passwords, confidential messages, and more.

Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn.

Once again do not use google based apps, degoogled yourself, and don’t trust big companies, have a (de)goo(gle)d day!

  • Oliver Lowe@apubtest2.srcbeat.com
    2·
    8 months ago

    The issue here isn’t so much Google. Just people being stupid and not taking the time to learn how to secure something

    I’d argue there’s poor design that could be patched here. From an article detailing the vulnerability (https://mrbruh.com/chattr/):

    My hunch was that in the rush to push their new shiny product, someone would take a shortcut and forget to implement proper security rules.

    The hunch was right, and it was worse than I could’ve ever guessed.

    then later:

    if you use Firebase’s registration feature to create a new user (you cannot register on their site), you get full privileges (read/write) to the Firebase DB.

    That it’s somehow faster or easier to (mis)configure a system such that you have full read/write is poor design. Secure by default, principles of least privilege; stuff that you want the implementers of the system to stick to so that when you’re a user (restaurants), you don’t need to think about this sort of thing.

    Of course the restaurants are also at fault for putting people’s personal info into yet another charlatan AI SaaS.