Can an attacker view the query parameters of a shortened firebase dynamic link?
If yes, is it secure enough to use let’s say invite links that contain a group ID to access that certain group.
In that case wouldn’t there technically be the security issue of someone having a program attempt all ids till they get a correct ID?
After some research, the url parameters are indeed exposed and viewable.
Secondly, firebase document ID's consist of 20 characters, each character could be 26 * 2 (Alphabet Capital and small) + 10 number possibilities. Meaning that an ID has 62^20 combinations, Good luck to anyone trying that amount out.
Thirdly, i believe App attest would block a user if he's abusing resources.