Firebase Storage: Can a malicious, authenticated user write a massive file to Firebase Storage if the only security rule is "auth != null"?

Question

I am developing an Android app that makes use of Firebase Storage with Security Rules.

Currently my only Firebase Security Rules are auth != null on both read and write, a 5 MB max file size on write, and a 1 hr period max before users can no longer read the file.

My question is: how safe is this? How hard would it be for a malicious user to upload multiple files repeatedly, so as to kill my storage space?

You just posted a similar question here: groups.google.com/forum/#!topic/firebase-talk/hS0_rPgsGPM While the posts are slight different, please indicate when you post it in multiple locations. — Frank van Puffelen

Frank van Puffelen Frank van Puffelen · Accepted Answer · 2017-09-16T20:13:35

Yes, with just security rules of auth != null any authenticated user can upload whatever they want to your Cloud Storage bucket.

If file size is a realistic concern for your use-case, you'll want to have a stricter user-check than auth != null and/or implement a reasonable limit on file size

Firebase Storage: Can a malicious, authenticated user write a massive file to Firebase Storage if the only security rule is "auth != null"?

1 Answers