Someone Hack My Firebase & Deleted all data

Kanishka_Developer · January 23, 2019, 12:20pm

Yes, I can read and write with my rules set up like that.

pipechela · January 23, 2019, 12:27pm

can you share how did you get it please? i don’t understand why i can’t

i succesfully login, but when i want to get the tag list, it doesn’t show unless i put the rules to true

Kanishka_Developer · January 23, 2019, 1:31pm

I don’t use Firebase Authentication.

pipechela · January 23, 2019, 6:21pm

So, how do you do it?

Daaniiieel · January 23, 2019, 6:59pm

Firebase auth and database are two different things

pipechela · January 24, 2019, 5:21pm

I know, but if you want a private database, you need to authenticate

kentleow1496 · August 26, 2020, 7:48pm

==I think I know the reason. In fact, it is not that someone deleted it, but the wrong code logic in your application. For example, you let users get the data, but at the same time other users can also get the data, and all users can also The data is deleted, then when the data has been deleted by one of the users, and the other user also deletes the label, the data no longer exists in the database. Therefore, all data is deleted. I have encountered this The problem has been several times, and I still don’t know how to use firebase. Recently, I have been studying firebase and at the same time I did this action. All data was deleted immediately.

themaayur · August 27, 2020, 3:48am

@kentleow1496 your are 2 years late to answer

kentleow1496 · August 27, 2020, 4:18am

Yes, because I happened to be searching for ways to prevent the application from deleting all the data when there is an error, and I saw the reason by the way, so that when someone like me is looking for an answer in the future, there will be no whereabouts, because I It is uncomfortable to understand that when a person wants to do something serious without help, it is hard to get help, so I don’t want someone to be like me

ibrarasadjoyo · August 27, 2020, 6:25am

You may have set database rules to “Test Mode” which allows anyone to read or write data without Token.

cedkim · August 27, 2020, 6:57am

Yes. It’s important to remember about security. It’s easy to ignore, but don’t! When you put API keys and other stuff in your app, it’s important to remember that even obfuscated data can be found. That’s why server-side security is so important. Don’t expect that protection within your app alone will ward off hackers. As someone who’s done ethical hacking before (I used to get requests from sites to hack them and report any security vulnerabilities, super cool side hustle), I get extremely nervous every time someone says that obfuscation is a good method, or that their app is well-protected without server-side security.

JaviR3TicS · August 27, 2020, 8:56am

So, could you share a good form to secure them?

cedkim · August 27, 2020, 9:01am

What do you mean? If you mean a method, Firebase’s built-in security rules are a method. I’ll link to some useful resources about them here.

Getting started guide:
https://firebase.google.com/docs/firestore/security/get-started

Syntax and structure:
https://firebase.google.com/docs/firestore/security/rules-structure

Writing conditions (like allowing access only when user is signed in):
https://firebase.google.com/docs/firestore/security/rules-conditions

There’s also more on their official documentation website.
Remember, when things are only secured on the client side, anyone could reverse-engineer it and do something bad. While there are many people who will report these vulnerabilities (like me, an ethical hacker who lets people know about security holes), there are people who will use it against you, like you showed.
Server-side security is very important, and I suggest that you read through these linked documents a bit to get an idea of how it works in Firebase (and how to implement it).

Daaniiieel · August 31, 2020, 8:15am

This. There is a lot of app inventor apps with horrible firebase security (allow writing for everyone). But it’s not just the creators fault, most tutorials show it this way.
The lazy man’s solution would be not to include your firebase properties in the component itself, but set it with set blocks when the app starts using obfuscated strings.

This is still far from 100% secure but makes reverse engineering a bit harder.

ombhat327 · September 15, 2020, 2:19pm

In my case I used Ofbuscated text but still hacked within a 30 sec how it will overcome?
what is the proper solution of this ?
how to use it properly?

ombhat327 · September 15, 2020, 2:25pm

i think there are ways… to do that… im also hunted by this

JaviR3TicS · September 15, 2020, 2:32pm

You can try to use this extension:

cje9604 · January 8, 2021, 12:41am

That is why I secure my account often. I have not been hacked before, nor have my apps been hacked and I never use Firebase.

Vikas_Kumar1 · January 30, 2021, 4:47am

Without data user can’t get own data
If payment data delete user can’t use project

Boban · April 17, 2021, 11:30am