Firebaseui-ios: Huge security issue with Firebase UI both on iOS and Android

Created on 29 May 2018  路  3Comments  路  Source: firebase/FirebaseUI-iOS

Describe your environment

  • Objective C or Swift: Swift
  • iOS version: 11.x
  • Firebase SDK version: FirebaseCore (4.0.20)
  • FirebaseUI version: FirebaseUI (4.5.5)
  • CocoaPods Version: 1.5.0

Step 3: Describe the problem:

When a user logs into her Google account inside our app through Firebase UI, she also gets signed into her Google account in Safari all of a sudden!!! This is a huge security issue. Imagine if somebody borrows my phone to log into an app using their Google account, and all of a sudden I get access to their emails, calendars, notes, Google Photos and all other Google related products.

Steps to reproduce:

  1. Implement Firebase UI in your app with Google login enabled
  2. Log a user into your app with their Google account

Observed Results:

Open gmail.com on your phone's Safari app and observe that you are logged into the user's gmail account though they just tried to sign into your app!

Expected Results:

The user should only be logged into Google inside the app they have authorised their Google account, not in the entire system.

Most helpful comment

@morganchen12 thanks for your reply! And thanks for closing this issue immediately to disallow intellectual discussions.

I am aware that by bringing up a WKWebView on iOS you are running the login browser on a separate process, ensuring that the app cannot steal any credentials from the login screen. HOWEVER, you are adding the user's Google account to the whole phone through a persistent cookie. That's a HUGE downside and a massive privacy risk, all the while the user is completely unaware of this fact. When the Firebase UI displays Google's auth login page, nowhere is it said that the user's account will be shared on the host device.

All 3 comments

This is an iOS/Android behavior, not a FirebaseUI behavior. It's more secure for apps to redirect third-party logins to a web browser so that apps can't be used to phish third-party credentials.

@morganchen12 thanks for your reply! And thanks for closing this issue immediately to disallow intellectual discussions.

I am aware that by bringing up a WKWebView on iOS you are running the login browser on a separate process, ensuring that the app cannot steal any credentials from the login screen. HOWEVER, you are adding the user's Google account to the whole phone through a persistent cookie. That's a HUGE downside and a massive privacy risk, all the while the user is completely unaware of this fact. When the Firebase UI displays Google's auth login page, nowhere is it said that the user's account will be shared on the host device.

@vandadnp the intention of closing an issue on this repo is not to kill discussion, but rather to signal that this is not a bug in FirebaseUI and therefore there's nothing meaningful that can be done in FirebaseUI to address it.

I can totally see how you find this behavior surprising, however Google Sign In (and most other social sign-in SDKs like Facebook and Twitter) were explicitly designed to behave this way and have done so for years. I actually used to be on the Google+ platform team way back when Google first ventured into this space and one of the main goals of having the "Sign in with Google" button was to allow users to quickly sign-up/log-in in new apps without re-entering any credentials.

Unfortunately if you're not comfortable with asking your users to make that trade-off then it's possible that social identity providers are not right for you app. If you believe that you still want to allow social sign-in but you want to add some custom warning to your users, you are probably working outside the bounds of what FirebaseUI can offer and should build your own authentication UI.

Was this page helpful?
0 / 5 - 0 ratings