Firebase Admin SDK - Potential Security Issue

[johndarsena]

I was reviewing your blogpost and the source code for this project because I am currently interested in implementing something similar.

From my understanding, the reason for implementing this project in this way is to make it so 2 different google accounts would need to be compromised in order for any individual's user data to be accessible. However, if someone got Admin access to just the firebase account, couldn't they then just use the firebase admin SDK to create a custom auth token for the user, submit that to google app engine and grab the decrypted encryption key plus any of the encrypted data on firebase?

Just want to see if I am missing something?

[andygeers]

Thanks so much for raising this. I have played around with this to try and see if it's a genuine vulnerability. As far as I can tell, it's OK, because even a Custom JWT will be have to be signed by a private certificate that belongs to Account 1 (the one that owns the Firebase RTDB) whereas this Keysafe is checking for JWTs issued by Google itself using their own private key (see _GOOGLE_APIS_CERTS_URL here) - it is "verifying ID tokens issued by Firebase and the Google APIs infrastructure".

I tried issuing a custom JWT using the Firebase Admin SDK but it requires you to supply your own key and so the Keysafe couldn't verify it since it didn't know about that key.

[johndarsena]

Ok, that is good to know, I was planning on using a different 3rd party authentication provider like auth0, which is considerably more expensive. Perhaps I will do some testing on this as well in the next few days and see what I find.

[johndarsena]

From my investigation, it appears as though the custom JWTs verified with _GOOGLE_APIS_CERTS_URL will fail as you've stated, which is good.

1 other potential security vulnerability, unless I am missing something again. If the owner of the google account running the google app engine code gets compromised by a rogue employee or otherwise, all the ID tokens for firebase users are still getting sent to the server for verification purposes. That server could then take the auth tokens as they come in and use them to grab the encrypted encryption key from firebase for that user as well as any of the encrypted data it wants to decrypt.