Closed ryanbnl closed 4 years ago
Hi @ryanbnl, Firebase Cloud Functions can either be called directly from the Firebase SDK on a Web or Mobile client or through a REST-style HTTPS call. Each function exposes its own endpoint: https://$region-$projectname.cloudfunctions.net/$functionname
For more info about calling a Cloud Function from the Client: https://firebase.google.com/docs/functions/callable
For more info about calling a Cloud Function over an HTTP request: https://firebase.google.com/docs/functions/http-events
Super, that's what I wanted to hear. If they're called over http then that's obviously a pretty big privacy leak even if the message contents is encrypted because the URL is visible during transport and the endpoint name already exposes too much info :)
The use of Firebase itself remains a blocker though.
The endpoint name does not reveal any private information and all calls are made over HTTPS. You would need a MITM attack with SSL interception to read the payload of the requests as well as the responses.
Exactly :) However given the level of some of the submissions during the weekend..
Which submission?
For a start those which haven't distributed source code. The others are obvious if you have a look on social media. I won't want to be too nasty and actually name anyone on github. It was a hackathon after all and part of the aim is to filter... :)
How are the service endpoints exposed? Is there one endpoint which is called via an encrypted transport, with the envelope containing the target function/service? Or is it REST-style where the function name is exposed via the endpoint?