New ask Hacker News story: Ask HN: Is the Firebase Auth Secure?

Ask HN: Is the Firebase Auth Secure?
2 by WolfOliver | 0 comments on Hacker News.
According to the documentation, I can obtain the firebase "API" token via the following javascript (see [01]): FirebaseAuth.instance.currentUser().getIdToken(); It seems like the id token is used as access token/api key? As there are so many discussions that storing tokens in a palace reachable by JS is very insecure [02]. I'm wondering what I'm missing here. Also, I do not really understand why is it considered to be so much more insecure? As soon as malicious code has access to the JS, he can as well make the fetch requests from the users browsers, sending along all the required cookies. So, is it still valid not to use local storage for tokens? [01] https://ift.tt/QwLjP6q [02] https://ift.tt/GIPAf16

Comments

Post a Comment

Popular posts from this blog

New ask Hacker News story: Brother Printers Sending Ink Data to Amazon?

Brother Printers Sending Ink Data to Amazon? 29 by Ajay-p | 13 comments on Hacker News. A most unusual thing. Every once in a while I get an email from Amazon that it's time to re-order Brother ink. I always delete these because I rarely print, but also figure it's just Amazon reminding me to buy something. Today I decided to opt out/unsubscribe once and for all. Instead I see this at the bottom of the email: "Click here to view or manage settings, including the option to opt out if you are already using another replenishment service. This took me to https://ift.tt/nMGIXiy "The data shown is based on estimated consumption reported by smart devices and orders you place through Amazon." Here it had a link to "Consumption history" which upon clicking showed me the ink levels of my Brother printer for the past two weeks . Date and time. WTF?! It is not apparent that I can disable this function. Can anyone else duplicate? Update : This is part of Alexa it
Read more

New ask Hacker News story: Tell HN: Equifax free credit report dark patterns

Tell HN: Equifax free credit report dark patterns 4 by PopAlongKid | 0 comments on Hacker News. For years, I have been obtaining free annual credit reports (annualcreditreport.com) which must be provided by law. Recently, for the first time, when I tried to obtain my Equifax report, I was prompted for an email address and a mobile phone number, a new requirement that apparently cannot be bypassed. The other two bureaus, and Equifax previously, confirmed identity by asking knowledge based questions. They do not need my phone or email for anything. Next, trying to obtain the report by phone instead of web site per instructions, I got to the point where I entered my ZIP code on the phone keypad, the voice menu system correctly repeated the number back to me, but every time I press 1 to indicate it is correct, the system acts like it got an invalid response and only gives me the option to enter further information by voice, not by the phone keypad. Just as with my phone number and email
Read more