使用Firebase UID作为QR码标记是否安全? [英] Is it safe to use Firebase UID as QR code tag?
问题描述
如果UID被公众所知,会有什么后果? / b>
这会给黑客一个修改用户隐私数据的机会吗?
了解用户的UID并不意味着您可以模拟该用户。我可能知道你是Jason Hoch,你的StackOverflow用户ID是52961000.但是我仍然不能使用这些信息在StackOverflow.com进行身份验证。
您在Firebase数据库中拥有用户的个人资料信息:
用户
uid_52961000
姓名:'Jason Hoch '
您有相应的安全规则:
users:{
.read:true,
$ uid:{
.write:auth。 uid === $ uid
}
通过这些设置,如果我以用户身份 uid_52961000
进行身份验证,则只能写 / users / uid_52961000
。由于身份验证要求我知道你的用户名/密码或其他一些(Facebook或其他社会提供者)的秘密,没有那些我不能假装是你。
If I used the Firebase user UID as a QR code tag, is this a wise way?
What is the consequences if the UID is known by public?
Will this give any chance for a hacker to modify the user privacy data?
A Firebase's UID is not a security mechanism by itself. Knowing a user's UID is not a security leak.
Knowing a user's UID does not mean you can impersonate that user. I may know that you're Jason Hoch and your StackOverflow user id is 52961000. But I still cannot use that information to authenticate as you at StackOverflow.com.
Say that you have the user's profile information in the Firebase database:
users
uid_52961000
name: 'Jason Hoch'
And you have these corresponding security rules:
"users": {
".read": true,
"$uid": {
".write": "auth.uid === $uid"
}
}
With these settings, I can only write /users/uid_52961000
if I'm authenticated as user uid_52961000
. Since authentication requires that I know your username/password or some other (Facebook or other social provider) secret, without those I cannot pretend to be you.
这篇关于使用Firebase UID作为QR码标记是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!