Out of curiosity I downloaded the larger size one - 200+GB I think (not at my computer right now) and skim through it every now and then. It's depressing - so much toxicity. Everyone seems mentally ill to me - male and female. This is a world completely alien to me and the people close to me.
Can you share (or describe where to find) a download link pls? I’m mildly curious to see just how gnarly things get in those kind of “restricted” territories
imho, as much as i like firebase, i think the design encourages this kind of broken security model. the default is open-to-the-world with credentials in the client app. setting up firebase permissions is kind of a pain.
in the traditional db world, at least your db creds live on the server-side app.
Hi all, i'm the security researcher mentioned in the article -- just to be clear:
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
Except, that's not how most laws mandate it. The verification of personal data, its storage and the subsequent authentications based on it are done by a trusted third party - usually a government agency. Either they (the agency) maintain the mapping between the real life identities and the 3rd party online accounts, or they give the 3rd party an ID code which cannot be used to retrieve the personal info without the consent of both the agency and the individual user. Thus, you don't litter your personal data everywhere on the web and risk leaking it like this.
All that said, I'm still not a fan of such invasive arrangements and laws.
24 comments
[ 2.7 ms ] story [ 55.8 ms ] threadDon't try to brag about something that doesn't exist please
in the traditional db world, at least your db creds live on the server-side app.
Discovery of heinous defamation circles, doesn't sound like something to look away from or feel sorry for.
Citation, anyone?
Kiwifarms never gets this level of outrage going, and I’d argue it’s an order of magnitude more toxic to society than Tea would be
1. The leak Friday was from firebase's file storage service
2. This one is about their firebase database service also being open (up until Saturday morning)
The tl;dr is:
1. App signed up using Firebase Auth
2. App traded Firebase Auth token to API for API token
3. API talked to Firebase DB
The issue is you could just take the Firebase Auth key, talk to Firebase directly, and they had the read/write/update/delete permissions open to all users so it opened up an IDOR exploit.
I pulled the data Friday night to have evidence to prove the information wasn't old like the previous leak and immediately reached out to 404media.
Here is a gist of Gemini 2.5 Pro summarizing 10k random posts: https://gist.github.com/jc4p/7c8ce9a7392f2cbc227f9c6a4096111...
And to be 100% clear, the data in this second "leak" is a 300MB JSON file that (hopefully) only exists on my computer, but I did see evidence that other people were communicating with the Firebase database directly.
If anyone is interested in the how: I signed up against Firebase Auth using a dummy email and password, retrieved an idToken, sent it into the script generated by this Claude convo: https://claude.ai/share/2c53838d-4d11-466b-8617-eae1a1e84f56
And here's the output of that script (any db that has <100 rows is something another "hacker" wrote to and deleted from): https://gist.github.com/jc4p/bc35138a120715b92a1925f54a9d8bb...
This is why laws that say "just give websites your photo ID! It's for the safety of the children!" are concerning
All that said, I'm still not a fan of such invasive arrangements and laws.