Firebase电子邮件和密码身份验证是否有任何安全配置选项？ [英] Does Firebase Email and Password authentication have any security configuration options?

问题描述

嗅探Firebase流量时，我看到代码被传递给auth服务器，以便始终返回200状态代码。这表明在身份验证协议的某个级别上有某种级别的可选安全性。

有没有一种方法可以使Firebase身份验证失败，并显示相同的错误消息用户在输入密码错误时输入不存在的电子邮件地址？

INVALID_USER 状态代码让我担心有可能发生<在我的应用程序已经被盗用的情况下，用户枚举攻击：https：//www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002）rel =nofollow> user enumeration attack 通过脚本注入。

有关如何更安全地锁定Firebase身份验证协议和/或某种关于智能速率限制的声明（某种程度上分布式攻击免疫）的信息。被应用可能会很长的路要保证我Firebase的BU ilt-in电子邮件和密码auth确实是安全的（假设Firebase规则设置正确，证书在客户端上不受影响，等等）。

解决方案< （Firebase雇员）现在，答案是否定的：你无法控制向客户报告的状态代码。

好消息是枚举攻击将是相当困难的，因为我们扼杀原产地的请求，以减轻任何暴力方法。

While sniffing the Firebase traffic, I have seen that a code is passed to the auth server so that it always returns a 200 status code. This shows that there is some level of optional security at some level in the authentication protocol.

Is there a way to cause Firebase authentication to fail with an identical error message when the user enters a non-existent email address as when they enter the wrong password?

The INVALID_USER status code gives me concern about the potential for a user enumeration attack, in a case where my application has become compromised via script injection.

Information on how to more securely lock down the Firebase auth protocol, and/or some sort of statement about smart rate limiting (somehow distributed attack immune?) being applied would probably go a long way to assuring me that Firebase's built-in email and password auth is indeed secure (assuming Firebase rules are set up correctly, certs aren't compromised on the client, etc).

解决方案

(Firebase employee) For now, the answer is no: you can't control the status codes reported to the client.

The good news is that an enumeration attack would be fairly difficult, as we throttle requests by origin to mitigate any brute force approaches.

这篇关于Firebase电子邮件和密码身份验证是否有任何安全配置选项？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！