I’m certainly no web security expert, but shouldn’t Tea’s junior network/backend/security developers, let alone seniors, know how to secure said Firebase or S3 buckets with STARTTLS or SSL certificates? Shouldn’t a company like this have some sort of compliance department?
It’s a little more complex than that. If you want the app on the user device to be able to dump data directly into your online database, you have to give it access in some way. Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.
Obviously there are ways around this too, but it’s not just “use TLS”.
Wouldn’t some sort of proxy in between the bucket and the client app solve this problem? I feel like you could even set up an endpoint on your backend that manages the upload. In other words, why is it necessary for the client app to connect directly with the bucket?
Maybe I’m not understanding the gist of the problem
Exactly, it’s not necessary. It’s bad / lazy design. You don’t expose the DB storage directly, you expose a frontend that handles all the authentication and validation stuff before accessing the DB on the backend. That’s normal Client-Server-Database architecture.
Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.
Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that encrypts the data on that server and then decrypted on the database host?
Clearly my utter “noobishness” is showing, but at least it’s triggering a slight urge to casually peruse modern WebSec production workflows. I am a DNN researcher. Thus, I am far removed from customer-facing production environments, and it shows.
Any recommendations on literature or articles on how engineers solve these problems in a “best practices” way that you can recommend? I suppose I could just look it up, but I thought I’d ask.
Edit: I don’t know why I’m down-voted. My questions were sincere.
SSL is not the tool you need in this case, although you should obviously already be running exclusively on encrypted traffic.
The problem here is one of access rights - you should not make files default-available for anyone that can figure out the file name to the particular file in the bucket. At the very least, you need to be using signed URLs with a reasonably short expiration, and default all other access to be blocked.
As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.
Is it really just permission rights “over-exposure” issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?
Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?
My hey we’re probably using Firestore as their database without authenticating their api calls to firebase functions. Basically leaving their api endpoints open to the public Internet.
They could have connected service account and used some kind of auth handshake between that and generate a temporary login token based on user credentials and the service account oauth credentials to access the api. but they probably just had everything set to unauthenticated
Every time. With startups, it’s always an unsecured Firebase or S3 bucket.
I’m certainly no web security expert, but shouldn’t Tea’s junior network/backend/security developers, let alone seniors, know how to secure said Firebase or S3 buckets with STARTTLS or SSL certificates? Shouldn’t a company like this have some sort of compliance department?
It’s a little more complex than that. If you want the app on the user device to be able to dump data directly into your online database, you have to give it access in some way. Encrypting the transmission doesn’t do much if every app installation contains access credentials that can be extracted or sniffed.
Obviously there are ways around this too, but it’s not just “use TLS”.
Wouldn’t some sort of proxy in between the bucket and the client app solve this problem? I feel like you could even set up an endpoint on your backend that manages the upload. In other words, why is it necessary for the client app to connect directly with the bucket?
Maybe I’m not understanding the gist of the problem
Exactly, it’s not necessary. It’s bad / lazy design. You don’t expose the DB storage directly, you expose a frontend that handles all the authentication and validation stuff before accessing the DB on the backend. That’s normal Client-Server-Database architecture.
Encrypt the credentials then? Or OAUTH pipeline, perhaps? Automated temporary private key generation for each upload (that sounds unrealistic, to be fair)? Can credentialing be used for intermediary storage that encrypts the data on that server and then decrypted on the database host?
Clearly my utter “noobishness” is showing, but at least it’s triggering a slight urge to casually peruse modern WebSec production workflows. I am a DNN researcher. Thus, I am far removed from customer-facing production environments, and it shows.
Any recommendations on literature or articles on how engineers solve these problems in a “best practices” way that you can recommend? I suppose I could just look it up, but I thought I’d ask.
Edit: I don’t know why I’m down-voted. My questions were sincere.
SSL is not the tool you need in this case, although you should obviously already be running exclusively on encrypted traffic.
The problem here is one of access rights - you should not make files default-available for anyone that can figure out the file name to the particular file in the bucket. At the very least, you need to be using signed URLs with a reasonably short expiration, and default all other access to be blocked.
As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.
Is it really just permission rights “over-exposure” issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?
Also, if you have time, recommend any links to web/cloud/SaaS security best practices “for dummies”?
My hey we’re probably using Firestore as their database without authenticating their api calls to firebase functions. Basically leaving their api endpoints open to the public Internet.
They could have connected service account and used some kind of auth handshake between that and generate a temporary login token based on user credentials and the service account oauth credentials to access the api. but they probably just had everything set to unauthenticated
deleted by creator