As far as I know, none of these keys (except the email/password) are considered a secret. The real problem here is that they aren't using Firebase/Firestore rules to correctly limit database access.
Yep. Although this exact thing has happened to so many apps I’m beginning to doubt the wisdom of this “allow completely open dev settings at first and then YOU get to remember to fix it” model that fire base uses.
Maybe they could require an IP whitelist if the permissions aren’t set yet or something.
permissions are a pain... i am considering centralizing permission handling in a separate service environment so that every service I have shares the same permission logic.
It is a shame since we could save some latency time by having permissions implemented in the same language and app that it is being requested. But to avoid stuff like that in the article I believe the cons are worth it
edit: the user had direct access to the database. No amount of code would mitigate that. Moral of the story is NEVER leave your database open to public, always hide it behind a service wall
And in fact some systems are only usable because of their security. A bank that gives all accounts the same password could hardly be considered usable, neither could many websites if they did the same.
What makes this even more sloppy for the school is that I know for a fact that Firebase will send your admin account an email when it detects that you have weak security settings on your database. It also sends said email repeatedly, once per day.
I know because I intentionally have a developer db that is read access for the whole world and I get that email every afternoon. The admin of this app either is not competent enough to know what that email means, or is willfully ignoring it.
> The admin of this app either is not competent enough to know what that email means, or is willfully ignoring it.
Or it's being filtered into their junk folder.
I'm not making excuses for them, btw (there's just so much else wrong here): just pointing out that this happens quite often with even legitimate automated messages.
The media would have a field day and say that he hacked his school database. It's crazy how so many institutions are doing the digital equivalent of leaving an unlocked car in a bad neighbourhood and no one holds them accountable. Most people understand the concept of an unlocked car, not many understand that he didn't do anything special to hack his school db. He just strolled right in.
Someone who snatched a purse out the hand of someone else isn’t “doing anything special” either. The illegality doesn’t hinge on the difficulty of the action. Why is that so hard to grasp for technical crowds?
If you find a car with the keys in the ignition and the door unlocked, you won’t get away with driving it a block down the road by telling the judge: “Oh, but it was obviously insecure, and I was just testing to see if I could steal it”.
The data that's available isn't the school, it's student data! The school left the students "cars unlocked" and no one holds them accountable. They just say that people shouldn't steal cars.
They left the car unlocked in the same sense that your home is unlocked. With the right tools, it’ll take me 5 minutes to gain entry. I could then claim that it’s your own fault I gained entry because you don’t have a metal enforced door, steel bars across windows, and a lock that can’t be easily or Hardily picked...
Yes, someone technically minded with the right tools and access can break in. But that’s less than 5% of the population, very similar to the percentage who could easily pick even a complicated lock, but Of cause near 90% will be able to take an ax to a door or kick in a window.
Even with that house analogy, I'd argue that you shouldn't store large volumes of other people's sensitive personal data in a house that has the bare minimum security.
The issue is organisations being reckless with our data and then blaming hackers when they lose it. It should be common sense that if you have sensitive information then it needs an appropriate level of security but someone companies have convinced everyone it's not their fault
I think this is where analogies between physical theft/trespass and digital access break down.
Pressing the handle down, maybe even opening a door, but not walking in and not taking anything. No theft, no trespass. AFAIK in my local laws trespass requires entry and theft requires carrying-off. Indeed -- apparently -- you're legally allowed to enter abandoned properties if you don't break-in.
That to me is equivalent to access, maybe even duplication (proving access with no 'alarms'), of digital data. When it becomes immoral is when you use that data, or make it available for use by others.
Of course the CMA(UK)/CFAA(USA) don't see things this way they both seem to make the equivalent of 'looking in the direction of a door and noticing it's open' into an illegal act.
> When it becomes immoral is when you use that data, or make it available for use by others.
That's logically consistent but shockingly permissive. And to be frank, I don't believe for a second this is really a principled opinion on your part, it's an excuse.
You'll get behind the hacker linked on HN out of solidarity or for some other personal reason (maybe you hate schools, or java). You'd never forgive someone for walking in and lifting your photo history due to a security lapse by Facebook, even if they never "used" the data nor "made it available for use by others". And that is why this behavior is criminal.
This is apparently a curious student that discovered a vulnerability and, judging by the way that blog post is written, is unsure how to properly disclose it. If this was your Facebook analogy, they'd have a relatively visible path to disclose that. Here, they have to potentially fear being reprimanded or criminally charged.
Under the premise that yes, granted, all that might technically qualify for some criminal act: The aspect of intent and malice are, imho, important in these discussions and should be for the corresponding laws. They found a vendor negligently handling student data, instead of dumping it somewhere, making a fuzz in the press or using it for something they try to disclose it (at least I'd hope so). It's not like the author abused that data, they tried out a proof of concept to see if access to other users could be gained. Not just out of solidarity that's something we should applaud and shield, instead of branding it as criminal behaviour.
For me this is more akin to past cases of people being reprimanded for trying to change URL parameters that are not sufficiently protected, while I see that it might be a philosophical standpoint rather than a legal one, I think the fine in these cases should go to the negligent company, not some curious individual without malicious intent.
Your post to me is a bit like how people said "you feel violated, don't you" when we had burglars. I didn't feel violated, nor particularly care I'd had unknown people in my house -- what I cared about was the nuisance of making insurance claims.
>You'd never forgive someone for walking in and lifting your photo history //
Someone who looked at one of my photos to prove they could, or downloaded one - never shared it, never re-published it?? I wouldn't ever know, for one thing.
If they downloaded all my photos and never used them? Am I supposed to be angry?
>it's an excuse //
What do you think I'm excusing?
You mention school, so say someone hacks the school network, they don't share any of the info ever with anyone, don't use it in any way -- except perhaps the only result is they anonymously inform the school they have a breach -- what's immoral there? (Yes, practically you move the legality toward the easily measurable act of making access assuming immoral intent, I understand that.)
> Why is that so hard to grasp for technical crowds?
Because laws concerning actual theft are objectively defined, and are logically consistent with themselves and other laws.
Laws about 'hacking', where the crime is simply a message, not a physical action, are extremely subjective. It revolves around intent more than the action.
For example: If a user goes to the website of theirbank.com and the root page is a list with all the credit card numbers of all the clients. Is he committing a crime? He used computers to get information that he shouldn't be allowed to see. Most people would say: no, he only wanted to visit the website.
If I see that the bank's API has no security, am I committing a crime?
If I use SQL injection to see all the users data, am I committing a crime?
Most people would say that it depends on intent, but intent is extremely subjective, and IMO a pretty bad way to define laws.
I did this when I was at high school with a friend. Basically the place had a shared Windows file system, and the only thing that prevented everyone from viewing it was that it was hidden in the UI. On the drive was lots of data, including some applications in PDF format - completely unprotected - full of personal information of minors.
At the time we had recently covered data protection in IT class, so we wrote up a document explaining what we did, and why it was bad, and gave copies to a few people in prominent positions (principle, head of IT, IT teacher) as well as posting it (with instructions redacted) on an internal message board.
Well of course they didn't take it very well. They threatened to expel us and call the cops, and suspended us for a week until they decided what to do. In the end a well written warning from my friend's parent made them drop the issue and let us back in. I doubt they did anything to change the "security".
He saw a car
He tried the doors until he found one that was open
He climbed in and searched everywhere until he found personal information about other users of the system
Even though the security of this system was poor, he still (probably) broke the law. There are plenty of opportunities for people with some knowledge of IT to abuse their power, but it's our responsibility not to do so.
He looked in the window of a car and saw tons of users' personal information -- visible through the window! Any criminal could walk by and copy the info, privately, without anyone knowing. Maybe some criminals already have.
I think the important thing we miss with car/physical crime analogies is that cybercrime can be so invisible. Nothing is missing, nothing is taken... but users private data is lost. So if an organization is doing something terribly naive like publishing passwords to userdata in plaintext... it's disgusting for our society to punish the wrong people, the people pointing out the flaws rather than the ones who cause them. All the really malicious entities came and went and will never be caught.
They put private information into a JSON file accessible by an HTTPS GET, the only password being one that they put in plaintext onto everyone's phones.
My analogy: They put the private information onto a billboard, but you can only see the billboard from a particular vantage point in a public park.
He downloaded the apk and extracted the database key from it. This is probably beyond the means of >98% of people of people. To be fair there have been instances were literally just editing the route on a URL to view a different document has resulted in hacking charges, I wouldn't go to such great lengths to defend this guy.
If you go up to someone's house and look under their welcome mat and find a key, is it okay to unlock the door and stroll in with the rationale that the poor security counts as consent to enter?
Pretty sure it’s the same person from what I could find out from archive.org snapshots. I followed this trail:
- From the tweet you linked, it’s clear that they owned yoginth.ml
- Archive of the homepage links to a gitlab profile [1] which uses the same profile picture and style of writing as their current gitlab profile.
- The page linked to yoginth.ml, and subsequent snapshots of page show it changed to yoginth.com (the current domain).
Additionally, I noticed that they mentioned that they work at “DocsPen”. Quick google linked to a repository with years of history (evident from the migrations page), but everything committed in 2017. Looked up, and it’s essentially another unattributed copy of BookStackApp with licenses changed and s/BookStack/DocsPen.
Unfortunately, it seems its a case of naive plagiarism and not knowing what counts as fraud. I say this because there’s enough information to get their entire identity (I’m not gonna post a link to that) and it’s clearly a school kid who’s misguided enough. If OP reads this, I’d suggest them to reflect upon their actions, (or cover their tracks more carefully). Sooner or later, if authorities get involved it won’t be difficult for them (I just did archive.org search on my phone). I feel a bit more aware of this because I studied at Delhi University and I knew a few people who did/do similar things to get enough attention and build a resume.
Yeah, Docspen was a copy of BookStack. Was a really awkward and difficult thing to handle as maintainer with BookStack being my first popular OS project. It was done very purposeful in an odd way. I remember that issues, filed by BookStack users, were being re-created on the docs pen repo by (potentially fake?) docspen maintainers with pretty much the same text.
Yoginth would then commonly create issues on the BookStack repo, many of which would be issues with DocsPen and not BookStack, and would email me asking to deploy new releases. I remember being at-a-loss of how to handle it, I raised my concerns [1] and asked for advice on reddit[2]. The docspen repo then suddenly moved to GitLab before being hidden. Yoginth then deleted all issues and comments made in the BookStack repo, or this may have been just part of a full account deletion.
Interesting. I have a hunch that this all is an attempt to game Google Summer of Code to win sponsorship. I think the sponsors look for open source contributions, and they created all the copies, organisations etc. to make it seem like significant profile. It’s crazy that people would go to such lengths. Like you said, it’s very odd, and sloppy.
The first linked tweeter thread is from July 2018, the second is from November 2018. I don't classify that as "too old". And your article is dated October 25, 1028, so it's approximately the same period of time.
The same is true for many other projects on your GitLab profile. Many of them are just snippets from Stackoverflow which you decided to turn into a repository with copyright in your name, for some reason.
You've built an entire online presence by copying everything from other people's work - from your blog theme to your content "without knowing"?
Adorable.
Also, by briefly reading the docs on the "platform" you are trying to peddle, I'm getting fairly certain you also copied that as well, as it is too well written in comparison to the drivel on your blog.
In all fairness on that last point, if you're referring to his "Gitote" project, the author has stated here [0] that it was a fork of Gogs, and seems to have retained the proper copyright notices in the source files:
"// Copyright 2015 - Present, The Gogs Authors. All rights reserved.
// Copyright 2018 - Present, Gitote. All rights reserved." [1]
I agree it should probably have been given more prominent mention, but given the number of commits doesn't seem (at quick glance) to be a hasty "fork and rename".
I'm not sure if you are in the industry, but attendance tracking is high up on most institutions lists of metrics to track. Aside from helping out the usual back office data, it's often a key indicator for students who are in trouble. The institution can then reach out and assist these students.
They might just not be from the US. Here in Germany, tracking or forcing student attendance is subject of large discussions and generally often frowned upon (or forbidden by regulation) in the University setting these days.
This is mind boggling.
Failing someone for missing one or two classes is ludicrous, but giving someone a certificate who didn't engage with the course is equally so. University education isn't about the destination/exam it's about the journey.
Not sure why you'd think that not tracking attendance means that people do not attend. Pure attendance does not guarantee good performance and in filled lecture halls there's often not much to "engage" with anyhow.
We see this as academic freedom, if you miss out on in-person seminars you won't pass, if you do not go to some lecture because you have to work and teach yourself afterwards, who cares.
This is a common practice in Europe as I understand, not just Germany.
The thinking as I understand it goes along these lines: there are requirements to get a degree (thesis, pass exams, score high enough in exercises), but the university is primarily a center for learning and you are an adult, so how you achieve the abilities to fulfill the requirements is your own business. If you want to do things on your own, you are free to do so.
Also, it is seen as a test by itself: Are you capable to take your responsibility and do your work?
This is a quite valuable lesson by itself. Most people need a few months to learn it (partying is fun, but doesn't get you a degree), some don't and indeed drop out.
> University education isn't about the destination/exam it's about the journey.
Showing up for lectures is by far the least important part of the journey. It's a passive activity that usually adds zero value versus watching lessons on YouTube or reading the textbook.
The real learning (IMO) is in doing the assignments, networking with people in your residence, social activities, internships, etc.
A degree is a class signifier, its only value is that it costs.
Most degrees you'll have to teach yourself and then when you graduate you get to advertise that you were willing to submit mindlessly to the system and do as you were told. Both of which are very valuable to employees.
University education isn't about the destination/exam it's about the journey.
There are more paths to the final destination than just turning up to all of your lectures, particularly if a lecturer is not doing a good job of presenting the material.
One of the controversial issues here in the UK at the moment is how much students are now paying for their university fees compared to how much value the university offers in return. Governments over the past generation or so have turned undergraduate degrees into a much more commercial proposition: you're taking on a lot of debt, but you're leaving with (in theory, according to the marketing brochure) much better career prospects.
At the same time, advances in technology and communications are rendering obsolete the old school lectures where you turn up and transfer the lecturer's notes from their paper to yours without passing through either brain along the way. You can find some of the best presentations of subjects ever given in freely available videos online today. Manually transcribing notes (or typing them on your laptop, or whatever) is largely a waste of time when you can just download well-written notes and spend your time in a lecture actually concentrating on understanding the material. For many courses, you really need to look at multiple sources anyway, to avoid getting tied up with a single view of the subject or a single expert's personal style of presentation and notation.
So if you said to a typical UK undergraduate today that the most important thing about their university journey was to attend all of their lectures, even when they're being phoned in by some researcher who is simultaneously daydreaming about their latest funding application, I don't think many people would agree with you.
You can get much more out of Uni but IMO a degree certificate is, and should only be, a measure of ability to complete the stated academic requirements.
Here in India, the University I attended requires a minimum attendance of 75%, or they won't allow you to sit the end of semester exams. Your attendance even accounts for 5% of the score of your end of semester exams for that course. Quite insane when you think about it.
What sort of bad weather are we talking about here? Also, is this due to the commute becoming difficult/impossible in the weather, or because the facilities/lecture theatres are leaky/poorly constructed, or something else?
For Kerala, its heavy rains. Flooded roads with open drains and deep potholes, bad electricity poles and transformers, lines touching trees etc. Engineering and business college norms require sturdy buildings and a few AC rooms.
My university didn't officially track attendance, but lecturers did track it nonetheless. Poor attendance was used as a metric when deciding whether somebody deserves a late submission, resubmission, or aegrotat.
I attend a public school in the United States, and attendance is de-facto enforced by questions that you answer during class (using iClickers, or by quizzes you turn in at the end).
Unfortunately, my friends in the class have annoyingly moralistic views on academic honesty, and the professor made it quite clear what the consequences of doing this would be :(
> Unfortunately, my friends in the class have annoyingly moralistic views on academic honesty
Their is nothing wrong by adhering to the rules of a school, and I think it is not that good that subverting the rules is such common practice that actually following the rules is considered annoying. If the rule is so egregious that it can not be followed then sure, but showing up is literally the easiest part and statistically has strong correlation to better performance.
I had to code-review a Django app using Firebase as a DB and swore never again. He did features and promised to do validation and security later by going to their editor and writing Javascript files. Django lets him write valid forms and correct SQL queries in almost same lines of code. Pagination was a pain in current version and present only in a version forever in beta. All the hard work coaching him on exceptions went out of the window.
An Android dev finally enlightened me where Firebase shines: offline sync of mobile to a server by eliminating lots of explicit CRUD calls and error handling.
An Australian autistic developer found a top university's custom authentication database exposed to the internet in less than 10 minutes. Please, no more DIY crypto or running unaudited services willy-nilly. :prayer-emoji-here:
There's a "development" mode you can enable on your database that simply ignores all of the rules. The college app either 1) has no/unsafe rules set up, or 2) left their Firebase database in development mode.
Good spot, but be careful in the future in your approach. Some places will nail you for having not stopped at the point where you unpacked the apk resources and noticed the API keys. Downloading the credentials might not have been the smartest move.
It’s not about keys or modes, it’s about the rules they didn’t set up. Everyone uses firebase like that. Those “keys” are required to allow you to connect to the correct firebase app, nothing more. You don’t get any direct special permission to do things on the database or storage.
Here some more info about the rules: https://firebase.google.com/docs/database/security
Firebase keys give you access to the database, which can be public. You just have to setup rules for the database, usually so users have to be authenticated to view anything and can only read their own private info.
edit: just realized you may have just been asking about hiding keys in general. Sorry if this wasn't what you were asking about!
> Don’t put your API keys, Tokens and Secrets visible easily
I was just confused at this part because permission & rules are the solution as far as I know.
Thanks for the reply though :)
I'm prettry sure now that exposing keys are no problem.
Well, the trick is that using a KeyStore ensures that the key doesn't leak into the application (but is only used for cryptographic operations in a trusted environment).
However, you would need the plain key to authenticate against the database so using this wouldn't work.
Read-only access through intermediate proxy that you control (but not to all data like here) + login required for more access (via intermediate proxy or direct).
