Today we are trying something a bit different (again). Brandon Evans, senior instructor with SANS, contributed the video below, talking a bit about the breach of the Tea App, and how to prevent and detect this vulnerability.

Firebase is a very popular database developed by Google. It easily ties in with modern web and mobile applications. Sadly, as so often, it comes with some configuration challenges out of the box. 

As a traditional ("old school") web developer, it would have never crossed my mind to allow users to connect directly to my backend database. But modern tools like Firebase often encourage just that. All security controls must now reside in the database itself, and many modern, in particular "NoSQL" databases, are lacking the fine-grained access control rules we learned to love in traditional SQL databases. This leads to applications that may implement detailed access control rules, but they become meaningless once the user connects directly to the database, bypassing any application-specific controls. Flawed applications often rely on client-based access control "tricks" that are easily bypassed. 

Sadly, this is not just a vibe-coding issue. Developers have been able to code defective applications without the help of AI, and this is not only a bad, but also a sad, pattern found in many modern applications using tools like Firebase.

Fixing this issue is not necessarily hard. Start by implementing strong Firebase rules, or avoid these tools in favor of backend data stores with stronger access controls out of the box. If you do rely on specific strong configurations, make sure they are verified as part of your CI/CD pipeline. And as always, lock down your cloud configuration. Firebase does inherit GCP IAM policies.

More details from Brandon Evans are in the video below.

You can reach Brandon at bevans-at-sans.org or check out his classes at https://sans.org/brandonevans

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|