Is it possible to hack and Update a firebase realtime database data

firebase firebase-realtime-database

Recently i build a app using Firebase, But after i got Some users through advertisement, Someone just hacked Firebase database and Updated all user datas like . Username Profile pic path

They set it to a bad word and bad pic.

So then i Also Checked the Firebase rules and redefined them..

Like

Only Authenticated users can read/write.

But problem is.

The hacker is still updated the Value on firebase db.

and i want to know what i am missing.

Is it possible to update a Firebase db without the whole secure key and things.. using a browser may be?

User data of a single user ...

email : "https://m.me.developer.scg" lastseen : "1617987743" pic : "https://www.dropbox.com/s/03a50cx4adxqepk/(url cannot be posted publically it contains nude images)" privacy : "PU" state : "offline" status : "Lets watch some movies" type : "FREE USER" username : "FU*KED BY DreamPLAY"

Here the hacker updated the 3 fields. email : pic: username:


You have to know that as soon as (1) someone has the apiKey of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).

Getting the apiKey is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).

Consequently, rules only based on auth != null allow anyone that has signed-up through the REST API accessing your Realtime Database. No need to use any GUI: after having been identified through the Auth REST API, the user can use the RTDB REST API.

One classical approach to avoid "non-desired" users to access data, is to add one or more Custom Claims to the desired accounts and use these claims in the Security Rules: See the doc for more details.


I will answer as parts :

  1. Reason of Problem : The Hacker found your API then created project and added your API to it then he created authenticated user then he updated the fields , So this the reason of problem

  2. Solution :

    First : is to create unique Fields (e.g Email to 1234567890Email as Example but more secure)

    Second : is to connect to Google Cloud Platform then setup Google Cloud Platform HTTP with your Domain (As Firebase will only accept data from your Domain ONLY)

    Third : Is to create more secure rules as to denied access to Entire Database but just give access to some collections or even documents So it will be more secure

    I just covered the most famous actions (You can see more but by google your problem) & Wish I helped you :)

Related

SecurityException - GoogleCertificatesRslt: not allowed
Pytorch model gradients are printed correctly but copied wrongly
@DELETE method is not supporting(Non-body HTTP method cannot contain @Body or @TypedOutput.)
IntelliJ go back after Command + Click
Can you use Redirect and Proxypass at the same time
Postfix : error: unsupported dictionary type: mysql
openssh - Adding an ssh key from putty to authorized_keys
PowerShell Quickstart [closed]
UFW on Ubuntu to Allow All Traffic on LAN
How to I test if mod_rewrite is enabled?
Is It Possible to Copy an AWS Security Group?
What are the possible issues in using very short DHCP lease time (< 1min)?