Vikrum Nijjar
Vikrum Nijjar Head of Operations April 08, 2014

OpenSSL Security Update

Yesterday the OpenSSL Project released an update to address the “Heartbleed” vulnerability. This is a serious vulnerability that allows an attacker to see the contents of memory on a server. Given the widespread use of OpenSSL and the versions affected, this vulnerability affects a large percentage of services on the internet.

Although the Firebase realtime servers were unaffected by this exploit, our servers managing authentication to the Firebase website were vulnerable. This could have allowed an attacker to obtain authentication credentials while they were in-flight. Internally we protect passwords by hashing them using bcrypt, but that precaution did not help given the nature of this exploit.

Once the exploit was revealed our infrastructure team responded immediately and all Firebase services were secured the same day, by 11pm PDT on Monday, April 7. Firebase is no longer vulnerable to this exploit.

Your Firebase Password and Secrets

We do not have any evidence that passwords or any other private information has been compromised. However, given that this exploit existed in the wild for such a long time, it is possible that an attacker could have stolen passwords without our knowledge. As a result, we recommend that all Firebase users change the passwords on their accounts. We also recommend that you reset your Firebase Secrets, which you can do from the "Secrets" tab in your App Dashboard.

Security at Firebase

The safety and security of our customer data is our highest priority. We are continuing to monitor the situation and will be responding rapidly to any other potential threats that are discovered.

If you have any questions or concerns, please email us directly at security@firebase.com.

Help us spread the word

More Firebase Articles

Feb 13, 2015
Fireside Chat with Nau App
Feb 11, 2015
The 2^120 Ways to Ensure Unique Identifiers
Jan 23, 2015
A Video Walkthrough of Swift Fundamentals
Jan 21, 2015
Fireside Chat with TalkToUsers
Dec 30, 2014
2014 in Review: Google, Queries, and more!
Dec 17, 2014
Moment: Anonymous Chat With Firebase
Dec 12, 2014
Building Reviewable With Firebase
Dec 08, 2014
Fireside Chat with SurveyLegend
Dec 05, 2014
[Cross Platform Demo] Inetech Office Mover 5000
Nov 17, 2014
Tips & Tricks for Firebase Hosting