Integrate Firebase security

  • The main page for integrate-firebase says this:

    If you want a secured implementation, with much more features, check the?Interate Firebase PRO?version.

    I was wondering, in what way(s) is Integrate Firebase not secure?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter rmanno

    (@rmanno)

    In the absence of a response on this question, I thought I’d reply back with what I’ve found in playing around with the plugin.

    I found a security issue where the login form will put the email address and password in the URL query params in the address bar if there is an error during the login process, leaving the user’s password on full display for all to see. I view this as a pretty serious security issue.

    It is relatively easily remedied. You can either modify the class.shortcodes.php file, adding a method=’post ‘ attribute to the <form id=’firebase-login-form’> tag. This will prevent the form from modifying the query string when it encounters an error.

    Alternately, if you would prefer not to modify the plugin itself, you can add some javascript to your wordpress site which simply adds the attribute to the tag programmatically at runtime. I did it by adding the following:

    jQuery(document).ready(function () {
    jQuery(“#firebase-login-form”).attr(“method”, “post”);
    });

    I would highly recommend everyone using this plugin to remedy the issue as outlined above until the author can release a fixed version of the plugin.

    Plugin Author Dale Nguyen

    (@hanthuy)

    Thanks, @rmano. I have plugin open on Github. It would be great if you can help to improve it.

    https://github.com/dalenguyen/firebase-wordpress-plugin

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Integrate Firebase security’ is closed to new replies.