If I used the Firebase user UID as a QR code tag, is this a wise way?
What is the consequences if the UID is known by public?
Will this give any chance for a hacker to modify the user privacy data?
Asked
Active
Viewed 1,701 times
1 Answers
26
A Firebase's UID is not a security mechanism by itself. Knowing a user's UID is not a security leak.
Knowing a user's UID does not mean you can impersonate that user. I may know that you're Jason Hoch and your StackOverflow user id is 52961000. But I still cannot use that information to authenticate as you at StackOverflow.com.
Say that you have the user's profile information in the Firebase database:
users
uid_52961000
name: 'Jason Hoch'
And you have these corresponding security rules:
"users": {
".read": true,
"$uid": {
".write": "auth.uid === $uid"
}
}
With these settings, I can only write /users/uid_52961000 if I'm authenticated as user uid_52961000. Since authentication requires that I know your username/password or some other (Facebook or other social provider) secret, without those I cannot pretend to be you.
Frank van Puffelen
- 565,676
- 79
- 828
- 807