You’re right, some folks don’t fully setup their security rules. We remind our developers to do this, but can -- and clearly need -- to do more. Your suggestion about requiring security rules is a good one. We’ll be going through our customers and providing more personalized feedback on their security rules in the coming days. Also, we are working on additional tutorials and examples to teach our devs how to use our security rules in an interactive way.
Thanks for pointing out some of the areas we can improve our examples. They’re intended to illustrate design patterns, not be robust production apps. Again, we can do better here, and the code we use as an example should be bullet proof.
Like any application, Firebase-powered apps are only as secure as the developers make them. If you do not control access with security rules, your app could be vulnerable. XSS attacks can affect Firebase apps like any other application.
Finally, we would have really liked you to provide responsible disclosure on the specific Firebases you found issue with and given us enough time to speak with those customers before taking this public.
We’ll reach out to you via email now.
The good news: you can trivially address this by adding one page in your CMS, calling it "Security", writing a few sentences of copy, and adding a) an email address which is monitored, b) a promise to write back, and c) (optional) a PGP key.
Some good examples:
http://www.twilio.com/docs/security/disclosure
http://37signals.com/security-response
http://technet.microsoft.com/en-us/security/ff852094.aspx
P.S. This advice is broadly applicable to everyone here who owns or helps to manage a software company.
I'll add one now.
I hear you about "...Firebase-powered apps are only as secure as the developers make them..." but I guess, you should try to do your best in order to 'tunnel' developers into the best practices of validating input/output and not relying on the client to send 'safe' data. I know it's easy to say and hard to do :) Nevertheless, it's a great goal to have.
Good luck! Ido
We'll be aiming to do this with future tutorials on security.
My startup is addressing the usability mainly by acting as a proxy to a client's sensitive data storage, and providing a sane set of defaults for very specific applications.
This space is awesome, and so is Firebase - Client-side apps are incredibly attractive for MVP development - it's almost as slick a feeling as moving from PHP to Rails 10 years ago :)
As soon as security / privacy / quota needs to be factored in, the whole model collapses. Security requires a lot of careful and complex design in the FireBase system. And it wasn't even possible to implement quotas the last I checked (couple of months back).
if(!user) { alert('you are not logged in!');}
If only the NSA used this level of blurring in their recent redacted documents...
Anyway, the Firebase team should really address these security issues that keep coming up all the time.
You could argue that moot is just a very well designed Firebase app as far as security permissions go, but at least it's proof that it's possible to rely entirely on pub/sub for your app and be fast, scalable, and successful.