search

mazipan / tanyaaja.in

❓Kumpulkan pertanyaan secara anonim dari siapa saja dengan mudah
https://tanyaaja.in
MIT License
138 stars 38 forks source link

[ Security Vulnerability ] Firebase Configuration Disclosure, Sensitive Information #139

Open rizkytegar opened 10 months ago

rizkytegar commented 10 months ago

Hello I see something wrong here. you hide the firebase configuration in .env, which is here :

configuration file

https://github.com/mazipan/tanyaaja/blob/master/src/lib/firebase.ts

screenshots

image

configuration structure

  export const firebaseConfig = {
    apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,
    authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,
    projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,
    storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET,
    messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID,
    appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID,
    measurementId: process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID,
  }

Poc

I even easily found the firebase configuration. shouldn't it be hidden?

see details below

screenshots

Untitled

configuration structure

 apiKey: "xxxxxxxx",
  authDomain: "tanyaajaapp.firebaseapp.com",
  projectId: "tanyaajaapp",
  storageBucket: "tanyaajaapp.appspot.com",
  messagingSenderId: "xxxxxxxx",
  appId: "1:xxxxxxxx:web:xxxxxxxx",
  measurementId: "G-xxxxxxxx"

I did not show in detail the location and where the configuration is exposed. but at least it's enough to give an idea that your configuration is exposed.

This is a practice that is actually not recommended, because the built-in JavaScript framework will result in offuscate code. and we can read the code, if we are careful we will find sensitive things

hi mazipan @mazipan can you confirm with me whether this needs to be followed up or not?

Thank You rizky

mazipan commented 10 months ago

I believe it's a security vulnerability.

But also found this interesting answer: https://stackoverflow.com/questions/37482366/is-it-safe-to-expose-firebase-apikey-to-the-public#:~:text=It%20is%20not%20a%20security,uses%20Firebase%20as%20its%20backend.

Also related in how we use Firebase.

Basically we only use Firebase for Authentication and Analytics, we are not using any other features. I believe this information reducing the possibility of leaking user info when you have the API Key.