Google Firebase Critical Alert

  • I was considering buying your premium plugin, when a couple of hours ago I received a message from Google regarding the Firebase service that YITH Live Chat is using:

    [Firebase] Your Realtime database xxxxxxxx has insecure rules

    We’ve detected the following issue(s) with your security rules:

    • any user can read your entire database
      any user can write to your entire database

      • It seems that you need to fix this ASAP as its a major issue for the security of the plugin.
      That, and also consider the fact that when using Firebase, another warning comes in the Firebase Console, in the Database Secrets section that says:

      Database secrets are currently deprecated and use a legacy Firebase token generator. Update your source code with the Firebase Admin SDK.

      Since this issue is present also in the Premium plugin that you offer, if you dont fix this I cant proceed with buying that plugin.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author YITHEMES

    (@yithemes)

    Hi @k3nsai,
    once you activate the plugin the first time, and set database credentials, at first connection the plugin will send the security rules to the database. This happens also with free version.

    Thread Starter k3nsai

    (@k3nsai)

    @yithemes: Can you please share the rules here so that I can compare them to the rules Google considers insecure?
    This is what I currently have in my firebase console:

    {
    "rules": {
        ".read" : "auth != null",
        ".write": "auth != null",

        "messages": {
            "$msg_id": {
                ".validate": "auth.is_operator == true || newData.child('conversation_id').val() == root.child('chat_users').child(auth.uid).child('conversation_id').val()"
            }
        }
    }
}
    • This reply was modified 6 years, 4 months ago by k3nsai.
    Thread Starter k3nsai

    (@k3nsai)

    @yithemes: I just checked and the above rule is exactly the same as the rule in ylc-rules.json in the plugin folder.
    It seems that unless you are using something different on your side, you must upgrade the rules and make them secure for all of us, as Google does not like the ones you are using now.

    Also, you must fix this issue with Database secrets being deprecated as per Google warning in the console:

    Database secrets are currently deprecated and use a legacy Firebase token generator. Update your source code with the Firebase Admin SDK.

    • This reply was modified 6 years, 4 months ago by k3nsai.

    Ditto.

    Plugin Author YITHEMES

    (@yithemes)

    Hi @k3nsai, @bruceappinletcom
    thanks for your feedbacks. From the checks we have made it seems that this is a false positive, however we are evaluating these updates, we hope to release them as soon as possible.

    Is this already fixed? I have the same issue. Now I can’t use the chat anymore because of this.. When I open the chat, all the other conversations appear in one chat. So everybody can read all the messages from each other, this is not normal.

    Plugin Author YITHEMES

    (@yithemes)

    Hi @diede33,
    that issue is not linked to this. Are you using some caching system?

    Hi,

    Yes I use W3 Total Cache. What should I do to fix this?

    Plugin Author YITHEMES

    (@yithemes)

    Try to disable cache and make a test.

    I have received the same email from FireBase stating

    [Firebase] Your Realtime Database ‘*****-***’ has insecure rules

    We’ve detected the following issue(s) with your security rules:
    ? any logged-in user can read your entire database
    ? any logged-in user can write to your entire database

    Has this been confirmed to be a false positive? Is there anything I can do to fix it so I stop receiving the emails from FireBase.

    Thank you,

    Plugin Author YITHEMES

    (@yithemes)

    Hello there,
    yes we can confirm the email is a false positive and you should not receive more than one email.
    We will also send a new plugin update as soon as possible to fix the cache issue

    Best Regards

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Google Firebase Critical Alert’ is closed to new replies.