Lacking authz in BaaS like Firebase
Theo just dropped this bomb and points out various concerns about BaaS: https://youtu.be/TKyNPg7UIIc?si=Rdpoqfp79Opy8nWx Could someone link me an article on how Convex tries to avoid these kind of security issues or explain it to me.
Theo - t3β€gg
YouTube
Why Is Nobody Talking About This $4,000,000,000 Hack???
I'm always gonna take the opportunity to dunk on Firebase but MAN this was too good. Can't believe the severity of these hacks, nor the insanity of the responses the hackers got.
SOURCES
https://mrbruh.com/chattr/
https://env.fail/posts/firewreck-1/
https://twitter.com/xyz3va
https://kibty.town/blog/chattr/
Check out my Twitch, Twitter, Discor...
16 Replies
This is a great highlight of a huge difference between Firebase and Convex: with Convex you explicitly expose data through query functions. In Firebase every table can be read from until you use their permissions system to set rules for it.
Theo says "you need to have a server you control between your client and your database," because otherwise you're relying on some abstraction to do this which is a liability. Convex is that server you control: instead of row-based security rules like Firebase and Supabase's client-side stuff you write code that builds responses based on DB data without directly exposing any of it.
for anyone curious, this video is about the Firebase hack described in https://mrbruh.com/chattr/ and https://kibty.town/blog/chattr/
How I pwned half of Americaβs fast food chains, simultaneously. Also checkout Evaβs blogpost of this event.
With an upbeat pling my console alerted me that my script had finished running, to be precise it was searching for exposed Firebase credentials on any of the hundreds of recent AI startups.
This was achieved through a public list of sites ...
how we owned almost all of america's fast food chains - eva's site
how we owned almost all of america's fast food chains
Oh, did not know about that. Never used Firebase
Nice. This is a huge selling point. Great work!
Yeah in my baas research I saw firepwn as a commonly referenced tool to exploit firebase
I prototyped in firebase in 2023. In general, it seems that firebase auth has gone into maintenance mode. The libraries for JavaScript were last updated in 2021. Their dart library (for flutter) was minimal. I wouldnβt be surprised if firebase auth essentially became google IAP under the hood, similar to how any firebase function generation 2 is now a cloud run service under the hood
Also, when a user logged in, firebaseβs UI console for auth didnβt update that last updated login time . It was a pretty bad bug, and telling as to how the code base seemed frozen
Always keep in mind that, while I'm not claiming there's any intentional deceit in Theo's videos and videos like it, the intent is to make money as a content creator. So everything is sensationalized, dramatized, etc. Appreciate you posting here to get some context, good move.
Yeah, but if you just break it down to the blog post we can clearly see that this vulnerability could have caused at least 4b $, he even calculated it.
If you add the money you could have made with the user data in the dark web...
For sure - that's kind of my point, the blog post covered it well and in a measured way. Video feels like clickbait, just looking at the cover. I get it, just don't like it.
Yeah, but every video on his channel looks clickbaity (title and thumbnail). But I dont care really much because he always gives his honest opinion in his videos
That's fair
And if you look under his videos you can see that his thumbnails are the most critisized part of his videos
I should probably watch the video before passing judgement π
Yeah in the past half-year or so, I see Theo as having gone more into tech news, catchy titles, and (open mouth haha) expressive faces thumbnails.
@FleetAdmiralJakob π π π - It would be interesting to hear Theo's thoughts on Convex. My speculation is that he would dismiss Convex too early because of his strong personal preferences about a db. He was once sponsored by PlanetScale ( but interestingly, he hasn't said anything on YouTube about PlanetScale since its free tier ended) and often dismisses any form of database that is not a relational database. At least from the Convex developer's perspective, the Convex DB is not a traditional relational database like MySQL.
But he would actually like the things Convex provides like type safety. I think Theo got famous by his T3 stack which emphasized tRPC.
All that said, Theo doesn't seem to say anything about cache or real-time, which is what I imagine what draws most people to try Convex. Theo's background is that he started his career initially on the backend, but it's mostly front end design, especially Tailwind and integrations with Figma.
probably. do you know (watch) him?
I would also want to know his opinion about convex. I know that convex sponsors web dev cody but did convex try to sponsor him and if yes did he respond something? @Tom
I honestly don't watch videos at all, but I know he's a huge influencer for frontend folks. His big blast over that person's Netlify bill a couple months back, that very much misrepresented the reality, really left a bad taste for me.
interesting, wdym with misrepresented the reality? I watched the video too and were able to agree with him
We chatted with Theo before, he's visited the office. Previously he's said he doesn't want to lead his followers to something he's not sure will keep existing and isn't open source βΒ so I think there's a higher bar here for something as different and relatively new as Convex. Looking forward to seeing if our open sourcing of the backend helps.