Closed devsideal closed 2 weeks ago
google-oss-bot
commented
3 weeks ago I found a few problems with this issue:
dconeybe
commented
3 weeks ago Drive-by comment: Firestore does indeed use MD5, but not in a security context:
This code is part of the algorithm that keeps Firestore's local cache in sync with the server. This is not a security context. The warning about using an insecure hash algorithm can be safely ignored. We chose MD5 over a cryptographically-secure hashing algorithm because the performance of MD5 was measured to be significantly better and security was not needed for this particular hash.
devsideal
commented
3 weeks ago Thanks @dconeybe for the clarification, What's about the other issues?
dconeybe
commented
3 weeks ago I've added the "auth" tag so someone with auth expertise can comment.
gsakakihara
commented
3 weeks ago firebase-messaging is using that value as an identifier for deduplication, not security, so there shouldn't be a security issue using SHA-1.
This issue is referred from: https://github.com/firebase/flutterfire/issues/13053
Getting some security issues when scanning by
appsweepwith below packages:cloud_firestore: ^5.0.1showing Insecure hashing algorithm MD5 used with below findings:firebase_auth: ^5.1.0showing Insecure hashing algorithm SHA1 used with below findings:firebase_messaging: ^15.0.1showing Insecure hashing algorithm SHA-1 used with below findings:STR:
Flutter version is: 3.22.2