firebase-ios-sdk icon indicating copy to clipboard operation
firebase-ios-sdk copied to clipboard

Published 20 hours ago verified publisher icon firebase

Fortify Insecure SSL: Overly Broad Certificate Trust (Security Features, Data Flow)

Open CyberMew opened this issue 3 years ago • 6 comments

We are getting some security issues and one of them is as per title.

The call to dataTaskWithRequest:completionHandler:() in FIRMessagingTokenDeleteOperation.m on line 81 initiates an SSL/TLS connection using the default pre-loaded system Certificate Authorities (CAs) that might enable attackers to intercept encrypted communications by performing man-in-the-middle (MiTM) attacks using certificates signed with compromised root CAs.

Recommendations:

There are several possible solutions to reduce the level of trust on pre-loaded system certificates including:

  • Custom trust anchors: Use a custom keystore that only contains the certificates you want to trust.
  • Certificate pinning: Trust the default certificates but verify and enforce that the one used by your backend server is present in the certificate chain. As an alternative, public keys can be pinned instead.

Same goes for fetch The call to dataTaskWithRequest:completionHandler:() in FIRMessagingTokenFetchOperation.m on line 113 initiates an SSL/TLS connection using the default pre-loaded system Certificate Authorities (CAs) that might enable attackers to intercept encrypted communications by performing man-in-the-middle (MiTM) attacks using certificates signed with compromised root CAs.

Is this something we need to worry about?

CyberMew avatar Dec 30 '21 10:12 CyberMew

I found a few problems with this issue:

  • I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
  • This issue does not seem to follow the issue template. Make sure you provide all the required information.

google-oss-bot avatar Dec 30 '21 10:12 google-oss-bot

@CyberMew Thanks for filing the issue. Would you mind file a ticket with the support team so we can follow up with more details on this? Mostly to get more information about the security issues on your team.

charlotteliang avatar Dec 30 '21 20:12 charlotteliang

Thanks, have just sent in a support ticket.

CyberMew avatar Dec 30 '21 21:12 CyberMew

@chliangGoogle the support said that "this wouldn’t be the specialized channel to address this inquiry" and redirected me to http://goo.gl/vulnz which I don't think is the correct place. Any advice?

CyberMew avatar Jan 11 '22 15:01 CyberMew

I don't think that's the right place to address this issue. @rizafran can you help @CyberMew file an internal bug?

charlotteliang avatar Jan 11 '22 19:01 charlotteliang

Any solution?

TusharSharma651 avatar Jul 08 '24 05:07 TusharSharma651