Firebase's DB (Firestore) being almost default-allow is even funnier, and that w... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		frollogaston 28 days ago \| parent \| context \| favorite \| on: Tea app leak worsens with second database exposing... Firebase's DB (Firestore) being almost default-allow is even funnier, and that was the core functionality from the start, leading to tons of huge breaches over the years. At least a public file bucket is a more valid use case, except I'm guessing they left the "list files" permission open. Edit: Oh, chat DB is probably Firestore, so they left that open too, nice. Having used it several times, yeah I wouldn't entrust it to a dev team. It's gotten better lately but still seems like the gun is always pointed at your foot. Also GCP, storing secrets properly in AppEngine is notoriously difficult and prone to accidental git-commit: https://stackoverflow.com/questions/58371905/how-to-handle-s...

andrepd 28 days ago [–]

It's to this kind of quality engineering that they want me to entrust my ID so I can watch pr0n or insult a politician online. Jesus.

frollogaston 27 days ago | [–]

Are they specifically using Firebase for that? I'm not saying GCP is unsafe in general, just Firebase.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact