> 06/01 - Vulnerability Discovered
> 09/01 - Write-up completed & Emailed to them
> 10/01 - Vulnerability patched
Note those dates are DAY-MONTH. At least they patched it within a single day.
I find it funny that the author found a massive vulnerability but chose to wait a couple days to report it so they could finish a nice write-up.
Reminds me of my experience with HackerOne: We had some participants who would find a small vulnerability, but then sit on it for months while they tried to find a way to turn it into a larger vulnerability to claim a higher prize.
Then when they finally gave up on further escalation and submitted it, they'd get angry when we informed them that we had already patched it (and therefore would not pay them). The incentives in infosec are weird.
The only email listed on their site was for the sales team which would not be checked on a weekend.
I am not against bug hunting by any means, but if you want to me act like I care about your product and not about my money, pay me monthly.
You don’t make HackerOne your primary source of security testing. It’s a fun thing you do in addition to your formal security work internally.
The reason people do it is because so many people expect or even demand payment and public recognition for submitting security issues they found. Just look at how many comments in this thread are insisting that they pay the author various amounts of money. The blog post even has a line about how they have not provided recognition (despite being posted exactly on the day it was fixed, giving the company almost no time to actually do so).
HackerOne style programs provide a way to formalize this, publicize the rules (e.g we pay $25K for privilege escalation or something) and give recognition to people finding the bugs.
Pentesters like it not only because they get paid, but now they can point to their record on a public website.
This isn’t a “gig economy bad” situation.
I have never found out if this is a side gig, a full-time job, or a hobby for people.
From a bug hunters perspective, certain issues are often underpaid or marked as non-issues (and then subsequently fixed without paying out) so it’s in their interest to find a chain of issues or explore to show real impact.
Then from the programmes perspective you have to content with gpt generated reports for complete non issues so I can also understand why the might be quick to dismiss without hard impact evidence rather than a “potentially could be used to”
They couldn't even be bothered to send a proper thank you.
Considering that there is “more than one way to skin a cat”, it is not a given that vulnerabilities further along the chain will be resolved by closing the initial vector.
When a chain of vulnerabilities is reported it might become clear that not only does the initial attack vector need to be closed, but additional work needs to be done in other areas because there are other ways to reach that code which was called further along the attack chain.
Nope! The two vulnerabilities are usually one and the same. The person is just trying to find a clever way to access additional data to make their payout larger.
From the customer perspective, getting the initial vulnerability fixed ASAP is the best outcome.
When they start delaying things to explore creative ways to make their payout larger, everything goes unfixed longer.
Maybe it's because the write-up was well written that they could patch in a day?
That's what you'd expect: finding != understanding, and you need some understanding before you can submit a sensible, actionable report to the vulnerable party. And then you need to write it up in a way that will be understood by the recipient. Going from initial finding to submitting a detailed report in a few days is excellent turn-around time.
The incentives in infosec are weird.
Much smarter folks than me have been saying it for decades.
Well - only the amateur infosec world where you try and force someone to be your client after you do the work, and then get butthurt when they don't become your client.
In the professional infosec world the clients choose to hire you first.
Other than this security vuln, the issues vs. just using postgres are:
* It is more work! Despite being a backend as a service it is much less code to just write a simple API backend for your thing both in time to do it and time to learn how to do it. Think of Firebase as being on the abstraction level of Sinatra or express and you may as well just use those. Things like Firebase and Parse etc. are more complicated. For the same reason it is more complicate to walk to work with just your arms and no legs (even though there are fewer limbs to deal with and no backend!).
* Relational is king. Not being able to do joins really sucks. Yes you need to make async calls in a loop. NoSQL is premature optimisation.
* Lots of Googlization. This means lots of weird, hard to find out clickops configuration steps to get anything working. Probably why this security flaw existed(?).
* Emulator is flakey, so for local dev you need another cloud DB, and yes all that Googlized setup RSI inducing clickops.
* I reckon it is slower than postgres at the scale of starting a project. Traditional architecture are blitz fast on modern hardware and internet. Like playing a 90s game on your laptop.
* Apparently as you scale it gets pretty pricey.
The main thing is: it actually slows you down! The whole premise is this should speed you up.
On top of the Googlized clickops, there's the whole Firebase vs Google cloud situation, where you end up having to drop down to "real" google cloud for certain specific features. The docs appear to be detailed but you often end up with more questions than answers.
If you are ever thinking about using firebase, give Supabase a try. The emulator works well, the dashboard is there for prototyping but you can just write SQL to clearly define your database and migrations. Since it's just postgres you have a clear route to leave Supabase if you should ever want to.
I’m not at Google anymore but I was a core contributor to the Firebase emulators project when I was. I can think of many flaws with the emulators but flakey is a new one to me
Firebase is not an alternative to Postgres alone. You need an actual API server. The value of Firebase is you don’t need that, nor do you need to worry about ops, authentication, queues or other things.
The issue the OP found could have been easily fixed by simply reading the docs, but that seems to be a rare activity these days.
The hard work of using Firebase’s apis, libraries, reading it’s docs (which are detailed but badly organized) is more than the delta between not needing a backend. And for a non trivial app you will end up using functions: infact if you want a guarantee that your user has a name then you will need to write a function. And that is… a backend, like writing an app.route statement.
Regarding Postgres, that is where tools like PowerSync (disclosure: co-founder) and ElectricSQL are useful, which are both sync layers for Postgres for offline-first architecture.
Key words right there. The relational model is a timeless mathematical model for data that gains both logical consistency and adaptability as a result. It has and will continue to stand the test of time.
Something like DynamoDB can be great for simple data. I liked the idea of Graphql (technically the API query and not the database). Both of them turn into hot garbage once you get into complex data, especially if it's being aggregated from multiple sources. Or maybe the systems I work with just implemented them poorly.
When mobile apps started out, most had little to no online features.
As the mobile apps market grew, more and more of these apps started requiring account persistence, sharing content with other users, real-time online interactions, etc.
That's when Backend as a Service became a thing (eg Parse), targeting developers with little to no server-side experience. And that's when Firebase popped up.
I remember having some issue, and thought: well, it's JS, let me just check the source like I normally would! Only to find out that you couldn't browse the full client source code anywhere. At that point my only option was to reverse engineer the minified source which just seemed silly and like a waste of time.
Firebase moat has nothing to do with their frontend library, which anyone could reverse engineer with a little bit of time. And yet they still kept it closed source. I don't know if anything has changed since then, but that was the primary reason why I lost interest in the service.
EDIT:
loud buzzer
Careful, Icarus: "permissions can be setup to allow global read-writes" is a "vuln" of every system.
p.s. Any comment on why her blog has you guys "remembering Chattr" then getting a seedy Firebase pwner GUI, and yours has you diligently looking through .ai TLDs?
Sorry, but supabase has a similar issue.
Another blog going over that has or will be made by Eva (referenced on the site)
One particular thing that annoys me with SB is that by default, or when you create a table with SQL, they're publicly accessible, which is very bad! (Firebase defaults to no access in production mode.)
Question is how much effort that is. It's scarily easy on Firebase, idk about Supabase.
If you take this approach, it's "pay now or pay later".
-- Fellow millenial
What I found is you are right and FB is easier for the Millennial, Gen Z, Boomer or whatever IF everything you need can be done by rules and schema.
As soon as you need to write functions (because rules are not sophisticated enough or too slow/expensive, or you want to know why the thing got denied) then you are writing backend code.
It is actually easier to write the same code in a NextJS template - like there is less to learn, less docs to read. And then chuck it on Vercel which will deploy and devops it for you. So you have all the devops done for you like Firebase would and you have spent less time. Now if you are talking to postgres instead of firebase from the backend, it is actually easier IMO. A line to connect to pg. A line to issue a query.
Guess this is just my opinion, but it is less code to do so, less environment variable farting around, downloading a weird .json with all the credentials. If I were inclined I would write a blog post showing how much less lines of code are needed, how much less understanding is needed, and with the managed infra/DB offered by Vercel etc. you are still serverless, etc.
In my eyes people should be free to pentest whatever as long as there is no intent to cause harm and any findings are reported. Sadly, many companies will freak out and get the law involved, even if you are a good samaritan.
Pretty clear to me, "it was searching for exposed Firebase credentials on any of the hundreds of recent AI startups.", running a script to scan hundreds of startups
> Sadly, many companies will freak out and get the law involved, even if you are a good samaritan.
Yeah, but that also ends with that company being shamed a lot of the time
The web is insecure enough as it is, I just want to do my part to make it that little bit safer :)
The bad guys don't play by the rules so the rules only hinder the good guys from helping. I think Internet security would be in a better position if we had legislation to protect good samaritan pentesters. Even moreso if they were appropriately rewarded.
https://www.ftc.gov/news-events/news/press-releases/2023/11/...
If a neighbor came to me and said, "Hey, your mailbox that's located at the end of your long dirt driveway is protected by a wafer lock that can be opened by simply slapping the side of the mailbox in a funny way," I would maybe wonder why they were slapping my mailbox but I would be grateful that they told me and I would want them to continue doing whatever weird shit they were doing (so long as it wasn't causing damage).
When you put property in a public (or practically public) space, there's an expectation that it will not be treated as though it is on private property. There's a big difference between someone jiggling the door to your home (where you physically reside) and jiggling the lock on a mall gumball machine or the handle on a commercial fire exit.
There is a big difference between the digital world and the physical one. Many actions e.g stealing are very different in these 2 worlds and have very different implications.
The internet is like the former not the latter and taking a moral high ground stance that it just should be otherwise is just screaming underwater while doing nothing to actually protect yourself from an actual real threat.
I'd be very thankful if I moved to some place I'm unfamiliar with where people lockpicking is just a cultural norm and someone warned me I should get a better door.
I wouldn't even consider this "hacking" really. If prosecuted a defense attorney familiar with both the technology and the admitted niche area of computer crime law can readily conduct some very effective cross-examination against whoever the state is bringing out as a witness. The government does frequently rely on the lack of tech-competent and accessible counsel as a way to exert coercion (and usually resulting in a plea), and it doesn't help that the layperson has a very difficult time figuring out what qualities constitute competency when looking for attorneys (hence the enduring popularity of jingles since being memorable is frequently mistaken for being competent), but they are out there.
Forget the pwn how do I do this
Also, HN used to think this was cool now there are 20 posts blaming the hacker…
Fun fact: the `bell` control character is part of the ascii standard (and before that the baudot telegraph encoding!) and was originally there to ring a literal bell on a recipient's telegraph or teletype machine, presumably to get their attention that they had an incoming message.
To keep backwards compatibility today's terminal emulators trigger the system alert sound instead.
\u0007
I'm not sure whether it's HN thinking this is uncool (it is cool!) or it's HN taking the unfortunate realistic position that this type of stuff only gets the reporters into trouble, after seeing it happening time and time ago. People doing cool stuff get in trouble, and it's sad to watch.
This guy just grabbed publicly available information, and by 'public' I mean put out onto the web un-protected, just put out there. If you can just basically browse to something, is it really his fault for finding it.
It's like if I have a front door on my house, and just in the front hallway I have a huge naked picture of my wife. If I leave the door open, can I get mad at pedestrians walking by, for seeing the picture. Maybe they walkup to ring the door bell just to get closer look, walking up to the door, but not going in, is allowed.
It is meant to be used after a command or a chain of commands to give feedback about success or failure. The alias by itself doesn't issue a ping, but can easily be amended to do so.
What worked for me is to add an invocation of `paplay`. Actually it is two different invocations, one sound for success and another one for failure.
In addition to that I also send an ASCII 0x07. I have both `tput bel` and `echo -e "\a"` in my alias, but don't remember why. Probably one of them is enough. I do this because I have my terminal emulator set to visual bell an that causes the tab to change color when the command is finished and I can immediately see it even if I am in another tab.
beep() {
if [ $? -eq 0 ]
then
file=/usr/share/sounds/purple/receive.wav
ret='true'
else
file=/usr/share/sounds/purple/alert.wav
ret='false'
fi
(aplay $file 2>/dev/null >/dev/null &);
$ret
}
$ command ; beep
This depends on the libpurple sounds to be where they are (works in ubuntu at least)
Fish config: https://github.com/qznc/dot/blob/master/config/fish/config.f...
Notification script: https://github.com/qznc/dot/blob/master/bin/notify_long_runn...
I stole it from some zsh solution originally.
#!/usr/bin/env zsh
(mpg123 /path/to/processing3.mp3 > /dev/null 2>&1)
then it's just `./foobar.sh && boc` or `./foobar.sh; boc` as appropriate.
sudo apt install pulseaudio-utils
./some_script ; paplay /usr/share/sounds/freedesktop/stereo/complete.oga ./myscript.sh; curl -d "Script done" \
ntfy.sh/mytopic
[1] https://ntfy.sh/ + https://github.com/binwiederhier/ntfy
Title is misleading.
Personally I feel the title is justified but I understand and respect your viewpoint.
Also keep in mind that trying to clarify the such would also make the title much longer than I desired.
That’s what you should call it. It explains to readers what’s going on without over sensationalism.
That isn’t too long either.
By this argument, getting access by phishing a company employee also wouldn't count as an attack on the company.
These companies are responsible for their employees behavior and data but they are not responsible for nor legally liable for (in most cases, some exceptions apply) the actions of a third party that they have retained to help with hiring.
In fact the contract they have with said third party likely absolves them of any liability.
The title should be: I owned an AI startup via Firebase misconfiguration.
You can even name the startup if you want. That’s not flashy though and this person wants marketing.
The right people will read it (Chattr.ai’s customers) and respond . Right now everyone looks at it and some CISO will overreact and make everyone go check their Firebase configurations which may likely be a non-value add.
Naming and shaming does work.
Seems well funded companies are immune from data liability or responsiblity.
also wikipedai as a list of major data breaches https://en.wikipedia.org/wiki/List_of_data_breaches.
I totally understand how you feel though.
"Hi, we have fixed the issue you reported to us. Thank you so much. We are willing to offer a reward of <x> dollars to you, because you have protected our customers. Please reach out with a payment address or any other questions you might have. Thanks again, Tim from <Large corporation>"
and... stop timer. 11:27:38
was that so hard?
That redirects to https://www.careersatsafeway.com/desktop/home -- which is very much not about jobs at safeway -- appears to be an Indonesian gambling/gaming site.
Safeway.com has zero email contacts published and expects communication to be via phone call or chatbot. I found their domain admin email and sent them info with no response, and no change to their site behavior.
This makes me think that they might be ripe for more monkey business but that's not my thing. Oh well.
I was tempted to find their CTO on linked in and post a message there, along with the fact that there was no reply to my outreach nor a proper channel to do so.
I think the only think in their defense is that they must get a lot of angry customer messages and they just don't want to deal with that.
I've done enough here but ffs, if that form requires an account to be created beforehand then don't let the submitter go to the trouble of filling it out and then discard it.
But as noted elsewhere, it's still not fixed.
And the link you shared is a good thing but is that going to be easy to find to someone who sees an issue with your websites? I'd recommend putting a link here: https://www.safeway.com/help/contactus
Forcing function would be cyberinsurance policies that typically want to see audit results if you have multi-million dollar policy limits.
NOTE: I am not a legal professional, just making my guess.
If you can't view the images then it means you are likely using an outdated browser, all current versions of browsers support it (afaik) except Internet Explorer.[0]
...And if you are using Internet Explorer, then god help you.
I had a moment of total freakout when I realized the person across from me at lunch had an iPhone on the table. Actually he had an Android, and we continued talking like no big deal.
To be clear, we were talking about a 10-100M dollar problem, this wasnt small potatoes.
Too many exploits, I can't imagine having anything of value on an iphone.
You pwned them? What are you twelve? All you did was commit a felony and post it online.
Read this please https://news.ycombinator.com/newsguidelines.html
Make a tool which will look at the list of all the franchises within radius of person, and have it auto submit applications to all of them simultaneously...
For anyone who's never used Firebase before this is as simple as a single piece of logic that appears basically as:
if authUserID is UserDirectoryID
That simple.
That seems like an insane design...
It sounds like the rule that they wrote only checked that the request _is logged in_, because they assumed that visitors can't create their own accounts.
> When the user requesting access isn't signed in, the auth variable is null. You can leverage this in your rules if, for example, you want to limit read access to authenticated users — auth != null. However, we generally recommend limiting write access further.
I thought there was a US law now where breaches like this have to be reported?
Yes.
> Will they report it?
Probably not (unless forced imo).
Chattr is a private company - https://www.crunchbase.com/organization/chatrr
WTF.
Recently I reported an issue to a company valued at >$10bil issues were quietly fixed, not a single response back, not even a "thank you"
> we didnt know much about firebase at the time so we simply tried to find a tool to see if it was vulnerable to something obvious and we found firepwn, which seemed nice for a GUI tool, so we simply entered the details of chattr's firebase
Genuinely curious (I’ve no infosec experience), wouldn’t there be a risk that a tool like this could phone home and log everything you find while doing research?
Plus as part of the pentesting I watch the network stack in Firefox sometimes so I would tell if it was trying to exfiltrate date
Being "good" and giving companies free work is a HORRIBLE idea. They're never gonna pay, or even than you. If they're not willing to treat security researchers properly, I see no reason to return the favor.
Remember security groups: if your company wont pay, there are others that will.
It's... way too successful internally, lol, because we have a lot of permissions and privileges to manage now. And now we have to figure out good ways to assign these permissions to people more efficiently.
But that's a better problem than a GDPR relevant data breach, to be honest.
I'm not clear on this. Splice a new entry into what? The list of admin users? And then do what with it?
For example, my school's laundry app. Takes 8s to load because it continually refreshes the screen while it is trying to make a connection to their portal. Even now I just checked, it logged me out, took 5 seconds to let me touch the login, I placed in my email, grabbed my password form my password manager, it clearerd my email, retyped, and now the login is grayed out. Looks like I'm currently locked out. Looking at the laundry rooms, it takes 45s to load (literally, I timed it), and then the rooms aren't in order. It'll be like A4, A6, A7, A3, A11, A9, and so on. I'm not sure it's even manually filled in because they seem to change. Plus I have to unplug and replugin the machines constantly because they disconnect from the server. The dryer is a pain. This happens enough that the cords are worn down and it is a fire issue.
Yesterday I ordered from Jersey Mikes. They have a field where you can specify instructions. They do keyword filtering so you can't place a word like "cheese" in it, because they want you to click the box, but the box doesn't let you specify what kind of cheese. You also can't use words like "extra." Employees have always understood my shorthand or leet speak.
My housing processes applications via LIFO instead of FIFO. So all the students who renew their applications a month after the deadline get approved for their housing before anyone who does it within a reasonable time.
Electric bikes are known to light on fire when charging them. Teslas doesn't cover warranty for water damage. Google Maps routinely tells me to be in the wrong lane or miscalculates the number of lanes that exist. Google drive's solution to scrolling through music too fast is to lock you out, which just results in the user picking up the phone. Mine also likes to frequently disconnect itself and there's no low data mode so sometimes it just overloads my car's infotainment computer. Classic halt and catch fire situation.
I can go on about this stuff and it astounds me. Something is fundamentally broken when we can have computers that can talk to us in natural language but we are unable to design a system where employees understand the concept of a sorted list. Not to mention that I won't be surprised when that building catches fire.
Edit: I got logged in. My username was pasting into my password because their password field is labeled as a username field... but it is also hidden... They also double charged me in the past, said they didn't, and their solution was for me to issue a clawback with my bank. These people just don't care.
I really believe a lot of people are building things that they never test and never use. Even at big companies.
Don’t expose your database / api / blob storage bucket / etc to the public! It’s not that hard to do it right, or at least “right enough” that you can’t get owned by someone scanning a whole TLD.
Having slightly tried Firebase, I can also say that the Google cloud tool environment was really confusing the last time I tried using it. Just this enormous maze of switches, and dials, and widgets, like a lot of the popular IDEs.
If the defaults are not set on something sane, and I, a personally evaluated competent tech user with some background in security (fed work) can barely find the settings, then most normal humans with limited grasp of those issues probably won't even know to look.
What is additionally sad, is that your comment - in 2024 - is being downvoted.
If there was a pentester agreement, safe harbor, or other protection that's different. Be careful out there.
I'd argue that it was absolutely necessary to gauge the severity of this misconfiguration and furthermore, that Chattr.ai must contact every affected user, not MrBruh.
Their configuration allowed anyone to create an account and access plaintext passwords. There is no telling whether and how many outside of this disclosure have previously accessed this information and may intend to use it. This was negligence of the highest order, and it shouldn't be on the one finding and reporting this issue to rectify it.
Knowing that they store passwords in plaintext is a security issue on top of the R/W credential
Is this because doing so might be seen as an admission of liability, and could be used in any legal cases that are brought?
Nice to see someone doing good.
Before, one collaborator had them in a chat sneering about chattr, checking their Javascript, then getting a GUI pwn tool for firebase.
i.e targeted attack with malice, followed up a blog post wildly exaggerating what happened, with a disclosure policy of 'we emailed them once and they fixed and didn't email us back so we'll just publish'
Only spelling this out because it's important to point out the significant gaps between white hat culture and these actions, not only for the authors, but for people who are inspired and want to practice it
I found it a little tricky to start with while getting familiar with the rules, but it worked really well after I got the hang of it.
If they steer you to one of these third party services, send your resume by snail mail directly to the HR director with a cover letter highlighting all the data breaches such as this one, LinkedIn, Indeed, etc. You'll stand out as someone who pays attention.
And for that matter, how that kind of initiative would be received by your potential future manager at the drive-thru.
I feel like I sound a little patronizing, but my broader point is it’s not other people’s job to be responsible for this kind of data security, especially in a relationship so imbalanced as that between a job seeker and the potential employer who offers only one pathway to gainful employment.
As to the remedy you propose, I’m reminded of the inimitable @patio’s Seeing Like A Bank [0], where he points out that banks (like other firms) use techniques like the paper letter that you described as subtle shibboleths to distinguish people who are likely sophisticated customers from the rank and file.
[0] https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
I’m curious what the limits are
I don't see how this "p0wns" the companies themselves
Firebase.database().ref('/').set('All your data is gone').
Better yet, download the whole DB and then:
Firebase.database().ref('/').set('I have all your data, pay me to get it back').