Comment on Women’s ‘red flag’ app Tea is a privacy nightmare
Kalothar@lemmy.ca 4 weeks agoMy hey we’re probably using Firestore as their database without authenticating their api calls to firebase functions. Basically leaving their api endpoints open to the public Internet.
They could have connected service account and used some kind of auth handshake between that and generate a temporary login token based on user credentials and the service account oauth credentials to access the api. but they probably just had everything set to unauthenticated
nickwitha_k@lemmy.sdf.org 4 weeks ago
Yup. It sounds like they were following security worst practices.
Kalothar@lemmy.ca 4 weeks ago
I get doing that in Dev for testing before launch, but in production? that’s insane.
Like it has to either be a junior developer playing the role of lead or some serious lack of web dev fundamentals haha
nickwitha_k@lemmy.sdf.org 4 weeks ago
I’d argue that it should not even be done in Dev. Dev, staging/testing, and prod environments should all be as close to one another as possible, especially for infra like datastores.