Question regards the API

[ryanbnl]

How are the service endpoints exposed? Is there one endpoint which is called via an encrypted transport, with the envelope containing the target function/service? Or is it REST-style where the function name is exposed via the endpoint?

[erwanmace]

Hi @ryanbnl, Firebase Cloud Functions can either be called directly from the Firebase SDK on a Web or Mobile client or through a REST-style HTTPS call. Each function exposes its own endpoint: https://$region-$projectname.cloudfunctions.net/$functionname

For more info about calling a Cloud Function from the Client: https://firebase.google.com/docs/functions/callable

For more info about calling a Cloud Function over an HTTP request: https://firebase.google.com/docs/functions/http-events

[ryanbnl]

Super, that's what I wanted to hear. If they're called over http then that's obviously a pretty big privacy leak even if the message contents is encrypted because the URL is visible during transport and the endpoint name already exposes too much info :)

[ryanbnl]

The use of Firebase itself remains a blocker though.

[erwanmace]

The endpoint name does not reveal any private information and all calls are made over HTTPS. You would need a MITM attack with SSL interception to read the payload of the requests as well as the responses.

[ryanbnl]

Exactly :) However given the level of some of the submissions during the weekend..

[erwanmace]

Which submission?

[ryanbnl]

For a start those which haven't distributed source code. The others are obvious if you have a look on social media. I won't want to be too nasty and actually name anyone on github. It was a hackathon after all and part of the aim is to filter... :)