1
00:00:00,510 --> 00:00:02,670
‫Instructor: Hi. Within this section

2
00:00:02,670 --> 00:00:06,030
‫we are going to focus on cloud server security,

3
00:00:06,030 --> 00:00:09,630
‫specifically Firebase security.

4
00:00:09,630 --> 00:00:13,680
‫So Firebase is a cloud server backend system

5
00:00:13,680 --> 00:00:14,685
‫provided by Google,

6
00:00:14,685 --> 00:00:18,780
‫and it's commonly used in app development.

7
00:00:18,780 --> 00:00:21,059
‫Whether it's an Android or iOS,

8
00:00:21,059 --> 00:00:25,080
‫and also it's used in web development as well.

9
00:00:25,080 --> 00:00:27,630
‫But there can be some vulnerabilities

10
00:00:27,630 --> 00:00:32,630
‫if the Firebase security rules are not properly configured.

11
00:00:32,820 --> 00:00:36,750
‫So within the section, we are going to focus on this issue.

12
00:00:36,750 --> 00:00:41,310
‫And in order to simulate this in a real example,

13
00:00:41,310 --> 00:00:46,310
‫I have written a Twitter app specifically for this course.

14
00:00:46,320 --> 00:00:51,120
‫So I'm going to share this Twitter app with you via GitHub.

15
00:00:51,120 --> 00:00:53,700
‫And you're going to see all the source codes.

16
00:00:53,700 --> 00:00:56,220
‫And of course you're going to build this

17
00:00:56,220 --> 00:00:58,230
‫on your own as well.

18
00:00:58,230 --> 00:01:00,720
‫And you're going to follow me along.

19
00:01:00,720 --> 00:01:02,820
‫We are going to take all of these codes

20
00:01:02,820 --> 00:01:07,500
‫and embed it in our own project and make it run

21
00:01:07,500 --> 00:01:11,130
‫as you are seeing right now, okay?

22
00:01:11,130 --> 00:01:14,340
‫So these articles, I'm going to share them with you.

23
00:01:14,340 --> 00:01:18,270
‫And also you're going to create a Firebase server.

24
00:01:18,270 --> 00:01:20,370
‫You will create a Google account,

25
00:01:20,370 --> 00:01:23,520
‫you will create a Firebase account.

26
00:01:23,520 --> 00:01:28,470
‫You will learn how to connect Firebase with your project

27
00:01:28,470 --> 00:01:32,370
‫and then do whatever you want to do with it.

28
00:01:32,370 --> 00:01:36,000
‫Of course, if you are not an under a developer

29
00:01:36,000 --> 00:01:38,400
‫you will still understand this course.

30
00:01:38,400 --> 00:01:41,580
‫I will explain all these codes, what they do,

31
00:01:41,580 --> 00:01:44,010
‫but of course it's not a development course,

32
00:01:44,010 --> 00:01:46,980
‫so we are not going to write it from scratch.

33
00:01:46,980 --> 00:01:48,840
‫We will be using these codes

34
00:01:48,840 --> 00:01:51,270
‫that I have written for this course.

35
00:01:51,270 --> 00:01:53,220
‫But you will see the basics,

36
00:01:53,220 --> 00:01:55,290
‫you will understand what they do.

37
00:01:55,290 --> 00:01:57,210
‫And again, as I said before,

38
00:01:57,210 --> 00:02:00,270
‫we are going to create our own Firebase database

39
00:02:00,270 --> 00:02:03,300
‫and connect it with our app as well.

40
00:02:03,300 --> 00:02:08,220
‫So this is very commonly used in app development right now.

41
00:02:08,220 --> 00:02:10,980
‫As you can see, this is our database

42
00:02:10,980 --> 00:02:14,250
‫and there are some other modules regarding Firebase,

43
00:02:14,250 --> 00:02:17,310
‫like storage, like authentication.

44
00:02:17,310 --> 00:02:21,630
‫We're gonna see a couple of these other modules as well,

45
00:02:21,630 --> 00:02:24,270
‫during our app-building phase.

46
00:02:24,270 --> 00:02:26,850
‫And then after we build this app,

47
00:02:26,850 --> 00:02:28,350
‫we are going to hack into it

48
00:02:28,350 --> 00:02:30,720
‫and we are going to hack into database.

49
00:02:30,720 --> 00:02:32,220
‫And then afterwards

50
00:02:32,220 --> 00:02:34,920
‫we are going to see how to make it secure.

51
00:02:34,920 --> 00:02:39,810
‫So over here, let me show you how this app works.

52
00:02:39,810 --> 00:02:41,400
‫If you have

53
00:02:41,400 --> 00:02:43,860
‫any account like this,

54
00:02:43,860 --> 00:02:46,290
‫you can sign in with your account,

55
00:02:46,290 --> 00:02:49,470
‫or if you don't have, you can create a new one.

56
00:02:49,470 --> 00:02:51,600
‫And we are going to see how we can do that

57
00:02:51,600 --> 00:02:52,830
‫with Firebase as well.

58
00:02:52,830 --> 00:02:57,830
‫So Firebase has its own user module authentication module,

59
00:02:58,110 --> 00:03:01,560
‫so we can create usernames and passwords

60
00:03:01,560 --> 00:03:04,290
‫and we can save them in Firebase as well.

61
00:03:04,290 --> 00:03:08,190
‫So as you can see, there is a Signup and Sign In button.

62
00:03:08,190 --> 00:03:10,260
‫So if we have already an account

63
00:03:10,260 --> 00:03:13,290
‫we can say Sign In and it'll sign us in

64
00:03:13,290 --> 00:03:16,380
‫and we will see the tweets like this.

65
00:03:16,380 --> 00:03:18,120
‫So this is very short for a tweet.

66
00:03:18,120 --> 00:03:22,080
‫Maybe you can think this like an chat app or something,

67
00:03:22,080 --> 00:03:24,300
‫but you get the idea.

68
00:03:24,300 --> 00:03:29,300
‫For example, if I hit a tweet over here I can write a tweet.

69
00:03:29,340 --> 00:03:34,340
‫So we have a 140 character limit here just like in Twitter.

70
00:03:34,590 --> 00:03:36,300
‫Once I'm done with my tweet,

71
00:03:36,300 --> 00:03:37,980
‫I can just hit the button,

72
00:03:37,980 --> 00:03:41,490
‫it will add that tweet on the top of the list.

73
00:03:41,490 --> 00:03:43,290
‫So I can see my own tweets.

74
00:03:43,290 --> 00:03:46,950
‫I can see the other people's tweets as well.

75
00:03:46,950 --> 00:03:50,791
‫So right now I'm connected with lars@gmail.com

76
00:03:50,791 --> 00:03:55,710
‫and as you can see, we have james@gmail.com as well.

77
00:03:55,710 --> 00:03:58,320
‫So we are seeing other people's tweets

78
00:03:58,320 --> 00:04:01,020
‫and they're all saved in this database

79
00:04:01,020 --> 00:04:02,850
‫under Tweets Collection,

80
00:04:02,850 --> 00:04:06,300
‫and we'll see what a Collection is later on.

81
00:04:06,300 --> 00:04:08,730
‫And as you can see, it works.

82
00:04:08,730 --> 00:04:09,840
‫It's great.

83
00:04:09,840 --> 00:04:14,580
‫But there is some kind of vulnerability in this app.

84
00:04:14,580 --> 00:04:17,430
‫So we are going to see how to exploit it.

85
00:04:17,430 --> 00:04:22,430
‫For example, I'm going to execute a comment over here

86
00:04:23,040 --> 00:04:27,210
‫in which we can get all the data for this database.

87
00:04:27,210 --> 00:04:29,028
‫And this is not coming,

88
00:04:29,028 --> 00:04:34,028
‫this is not happening because I am the owner of this app.

89
00:04:34,320 --> 00:04:37,950
‫You can write it anywhere from anywhere you want

90
00:04:37,950 --> 00:04:39,780
‫and you will still get this data.

91
00:04:39,780 --> 00:04:42,670
‫And you can even delete the data

92
00:04:44,040 --> 00:04:45,660
‫after you get the data.

93
00:04:45,660 --> 00:04:49,620
‫For example, I'm going to choose this tweet, okay.

94
00:04:49,620 --> 00:04:51,360
‫I'm going to copy it

95
00:04:51,360 --> 00:04:55,140
‫and I'm going to change the command over here,

96
00:04:55,140 --> 00:04:57,330
‫and I'm going to paste it in.

97
00:04:57,330 --> 00:04:59,970
‫And then I'm going to hit Enter

98
00:04:59,970 --> 00:05:02,280
‫and it will delete the data from database.

99
00:05:02,280 --> 00:05:07,050
‫So let me open the database and find that related documents.

100
00:05:07,050 --> 00:05:10,080
‫So let's see, what was it, t's POB.

101
00:05:10,080 --> 00:05:12,540
‫Let's find POB.

102
00:05:12,540 --> 00:05:14,910
‫It will be around here.

103
00:05:14,910 --> 00:05:18,300
‫And here you go, I believe it's there.

104
00:05:18,300 --> 00:05:22,710
‫So when I hit Enter, it will just delete this, okay?

105
00:05:22,710 --> 00:05:25,350
‫And you will see it in real time.

106
00:05:25,350 --> 00:05:26,670
‫So I deleted it.

107
00:05:26,670 --> 00:05:30,720
‫As you can see, it's removed from the Firebase database.

108
00:05:30,720 --> 00:05:33,450
‫So of course you haven't understood anything

109
00:05:33,450 --> 00:05:36,120
‫if you are not familiar with Firebase

110
00:05:36,120 --> 00:05:37,710
‫or under a development.

111
00:05:37,710 --> 00:05:42,710
‫But again, we are going to take care of that in the section.

112
00:05:42,750 --> 00:05:44,670
‫So that's it, that's what we are going to do.

113
00:05:44,670 --> 00:05:46,260
‫We are going to build a Twitter app

114
00:05:46,260 --> 00:05:47,700
‫and then we are going to hack it,

115
00:05:47,700 --> 00:05:51,240
‫and then we are going to learn how to fix this problem

116
00:05:51,240 --> 00:05:54,810
‫so that no one can hack into our apps

117
00:05:54,810 --> 00:05:57,240
‫if we are a developer.

118
00:05:57,240 --> 00:05:58,590
‫So if you are ready,

119
00:05:58,590 --> 00:06:01,443
‫let's get started within the next lecture.