tanyaaja
tanyaaja copied to clipboard
[ Security Vulnerability ] Firebase Configuration Disclosure, Sensitive Information
Hello I see something wrong here. you hide the firebase configuration in .env, which is here :
configuration file
https://github.com/mazipan/tanyaaja/blob/master/src/lib/firebase.ts
screenshots
configuration structure
export const firebaseConfig = {
apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,
authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,
projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,
storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET,
messagingSenderId: process.env.NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID,
appId: process.env.NEXT_PUBLIC_FIREBASE_APP_ID,
measurementId: process.env.NEXT_PUBLIC_FIREBASE_MEASUREMENT_ID,
}
Poc
I even easily found the firebase configuration. shouldn't it be hidden?
see details below
screenshots
configuration structure
apiKey: "xxxxxxxx",
authDomain: "tanyaajaapp.firebaseapp.com",
projectId: "tanyaajaapp",
storageBucket: "tanyaajaapp.appspot.com",
messagingSenderId: "xxxxxxxx",
appId: "1:xxxxxxxx:web:xxxxxxxx",
measurementId: "G-xxxxxxxx"
I did not show in detail the location and where the configuration is exposed. but at least it's enough to give an idea that your configuration is exposed.
This is a practice that is actually not recommended, because the built-in JavaScript framework will result in offuscate code. and we can read the code, if we are careful we will find sensitive things
hi mazipan @mazipan can you confirm with me whether this needs to be followed up or not?
Thank You rizky