Sniffing the Firebase traffic, I saw that the code is passed to the auth server, so it always returns a 200 status code. This shows that there is some level of additional security on the authentication protocol.
Is there a way that a Firebase authentication error fails with an identical error message when a user enters a nonexistent email address, as if entering an incorrect password?
The status codeINVALID_USER raises concerns about the possibility of a user entumeration attack in the event that my application has become compromised with script injection.
Information about how to more reliably block the auth Firebase protocol and / or some kind of expression about the limitation of the intellectual tariff (somehow distributed attack)? will probably go a long way to convince me that Firebase's built-in email and password authentication is really secure (assuming Firebase rules are configured correctly, certificates are not compromised on the client, etc.).
source
share