1

I've encountered a pressing issue involving Google's billing system within the context of Firebase SMS services. The problem at hand pertains to fraudulent SMS activities resulting in unwarranted charges. It's alarming to note that a substantial number of Firebase users have also fallen victim to this predicament, which seems to stem from Google's recent adjustments to SMS pricing.

Despite my diligent efforts to address this matter, which included filing multiple support cases via the Firebase portal, the responses I've received thus far have been disappointingly generic. They claim to have issued notifications regarding the situation on two separate occasions, yet I have not received any such communications in my inbox.

In terms of mitigations, they have recommended several measures. One of these involves restricting access from specific countries, a tactic that, while offering some degree of respite, doesn't seem to serve as a comprehensive solution. This suggests that these interim measures are designed to buy time rather than to provide a substantive resolution. Another suggestion is the removal of "localhost" from the authorized domain list. Additionally, they advise the utilization of Enforce App Check as a potential countermeasure.

However, it's concerning to report that none of these proposed remedies have demonstrated effectiveness. Despite these efforts, fraudulent SMS messages continue to be transmitted. In the case of Enforce App Check, which was touted as a potential solution has regrettably failed to address the issue at hand, rendering its implementation ineffectual.

The ramifications of this security loophole are substantial, as it has not only impacted our business's financial metrics but has also compelled us to temporarily disable critical authentication services as a precautionary measure. While my overall sentiment toward Firebase remains positive, the ongoing experience has been terrible.

If anyone has a better understanding of this situation or can offer technical insights to address these challenges effectively, your contributions would be tremendously valuable and sincerely appreciated.

EmanRobi
  • 21
  • 5
  • 1
    Also receiving these fraudulent SMS recently, our billing has gone up substantially and received exactly the same responses you describe. AppCheck for auth is in beta and is not working for my app currently also. This is not a great situation. – Seamus Aug 09 '23 at 21:14
  • Yeah, its a waiting game. They have no ETA at the moment – EmanRobi Aug 10 '23 at 00:09

0 Answers0