Injection - Site Broken

Open UltimateGG opened this issue 2 years ago • 1 comments

I know this project was probably a POC and is not maintained, but there are some security issues for anyone clicking the link from YouTube..

I wanted to test the security of Firebase and how there is essentially no server side validation of documents. I cloned the repo, copied the firebase config from the production site, and modified sendMessage to:

Where text is no longer a string, but an object. This throws an error in react, bringing the site down for everybody right now and you cannot see/send any messages.

You can also set your profile picture to anything you'd like, set extra params on the object (Fill storage, etc.) and im sure many other malicious things..

Jan 28 '23 02:01 UltimateGG

how to fix this?

Apr 30 '23 23:04 ralfs66