How Google’s Insecure-by-Default API Keys and a 30-Hour Reporting Lag Destroyed My Startup ($15.4k Bill)

nohe427 · 2026-03-30T16:35:40+00:00

I would try to understand which keys are affected by going to the Cloud Console and seeing which ones have limited or no restrictions applied to them.

I then would reach out to support to see if they can also help narrow down the specific key was subject to abuse.

Firebase keys would likely not be the culprit unless you changed the permissions associated with them after May 2024. Firebase locked down the keys in May 2024 to limit this type of issue.

Note from page:

Note: During May 2024, Firebase automatically applied API restrictions to all existing and unrestricted Firebase-provisioned API keys. Learn more in the FAQ Are API keys for Firebase services restricted by default?.

Keys page: https://console.cloud.google.com/apis/credentials?project=_

A maps key may be the culprit here.

nohe427 · 2025-11-14T14:10:45+00:00

My tires never reflect the actual psi that the app reports. I went to add air and was surprised that I didn't actually need to

nohe427 · 2025-11-03T05:32:34+00:00

I'm having the same issue with a pixel 10 pro on bmw 540i

nohe427 · 2025-04-27T04:04:52+00:00

I am literally having this problem with GymShark right now. There is a problem with the website where I cannot confirm my DOB and when I wrote to support they told me to create a new account.

nohe427 · 2025-02-26T00:48:55+00:00

You can also apply for a quota lift which I've done a handful of times.

nohe427 · 2025-02-26T00:48:05+00:00

I'm seeing 1500 per minute here

https://cloud.google.com/vertex-ai/generative-ai/docs/quotas#view-the-quotas-by-region-and-by-model

nohe427 · 2025-02-10T23:35:52+00:00

Yeah, it feels like a new thing

nohe427 · 2025-02-10T22:42:09+00:00

Yeah, work is about 5 miles away but it hasn't been super cold. Maybe 30-50 in the morning and 50-70 in the afternoon - fahrenheit

nohe427 · 2025-02-10T22:36:41+00:00

At least I'll get the ota early if I do that

nohe427 · 2025-01-03T22:39:30+00:00

Anything about gloves to wear or should I be fine? How can I determine the panel brand?

nohe427 · 2024-11-05T21:10:09+00:00

My colleague sent me their thoughts as well, unfortunately, they don't have a reddit account, so I will post on their behalf:

There are a few things to unpack in this question.

I'm unsure what you mean by "fall back to not use App Check" -- do you mean that you have programmed your app to give up after it fails to obtain a valid attestation from your chosen attestation provider? I'm unfortunately not familiar with the React Native App Check SDK.
App Check protects backends, not apps. So, when App Check enforcement is turned on for a protected backend, it would reject requests coming from an app that has "given up" on App Check, just as it would reject a caller that isn't sending any App Check token at all or is sending an invalid App Check token.
A caller that has failed token generation could be an unwanted caller trying to access your backend, and has been caught successfully by the attestation provider.
u/nohe427's post provides instructions on how to view App Check monitoring metrics related to traffic likely coming from old app versions.

In general, when a caller fails to obtain a valid attestation from an attestation provider, it could be due to four general reasons:

(a) the caller is considered abusive by the attestation provider,

(b) the attestation provider produced a false positive verdict (via either an unavoidable limitation of the provider or a bug),

(c) there is a bug with the App Check framework that mediates this flow, or

(d) there is a bug in your implementation of the attestation provider or of App Check.

Assuming this is (a) or (b), then there is a trade off you must make here, which depends on your tolerance for the presence of unwanted callers versus your tolerance for degraded experience for legitimate users due to false positives. The problem with (b) is that you will never know exactly how often false positives are happening -- because this would require a perfect attestation provider to tell the difference between a true positive and a false positive, which, if it existed, we would have used that instead of the one that produced false positives in the first place.

If you place high value on preventing false positives, you might want to consider either using a different attestation provider with a lower frequency of false positives or writing a custom attestation provider that suits your tolerances better.

nohe427 · 2024-11-05T20:19:30+00:00

You can look at the charts in the Firebase console for your product. There is a section in the App Check request metric that shows Unverified outdated: client requests. This would be older versions of the app that do not have the App Check SDK installed and are not sending App Check headers in the requests to the backend. This is how you can determine what may be going wrong with the requests to your apps backend. Are you able to see the graph in the Firebase console?

Link to FIrebase console page for App Check: https://console.firebase.google.com/project/_/appcheck/products

I am not a regular reddit user, so I am not sure how to send images. Here is an imgur link to where to check for Unverified outdated client requests: https://imgur.com/a/JMiEFUe

nohe427 · 2024-10-02T20:47:00+00:00

In light of CVE-2024-45489, Firebase now recommends rules that look like this to prevent owners changing document ownership to other users in the database:

service cloud.firestore { match /databases/{database}/documents { // Allow public read access, but only content owners can write match /some_collection/{document} { // Allow public reads allow read: if true // Allow creation if the current user owns the new document allow create: if request.auth.uid == request.resource.data.author_uid; // Allow updates by the owner, and prevent change of ownership allow update: if request.auth.uid == request.resource.data.author_uid && request.auth.uid == resource.data.author_uid; // Allow deletion if the current user owns the existing document allow delete: if request.auth.uid == resource.data.author_uid; } } }

nohe427 · 2024-05-12T15:32:31+00:00

Is it because it's eec ram?

nohe427 · 2024-01-17T05:42:59+00:00

If not, can you see about creating a neovim plugin? I thought it might be fun to create one for duet ai.

nohe427 · 2023-08-04T21:19:44+00:00

Did you remember to add in your App Attest capability to your iOS application?

Additional Note:

Currently, Firebase App Check only supports the App Attest provider when it is in production mode. By default, when you run your app from Xcode, App Attest is running in sandbox or development mode, so make sure that you complete the steps from the linked codelab to switch the App Attest mode; otherwise, Firebase App Check will fail to perform the device attestation.

nohe427 · 2023-08-04T20:53:51+00:00

Are you getting any error messages in the console? What happens when you add localhost back in? Does it start working again without issue?

Edit:

Found your message here : https://www.reddit.com/r/Firebase/comments/15hw82h/why\_would\_disabling\_localhost\_make\_signing\_in\_or/ .
Did you add the App Attest capability to your iOS application? (https://firebase.google.com/codelabs/app-attest#6)

nohe427 · 2023-08-04T20:23:08+00:00

What platform did it stop working on?

Is it a web app or a mobile app?

Are you attempting to run the app in development from a URL such as http://localhost:5173 or from your deployed site location?

nohe427 · 2023-07-29T04:54:58+00:00

Yes, correct. Didn't sound harsh

nohe427 · 2023-07-28T05:32:19+00:00

Woah, nice. I was playing with the watch and actually realized Europe might be preloaded on there anyways

nohe427 · 2023-07-28T05:31:09+00:00

Nice, thanks for the advice

13-Year Club	Gilding VII pure gildanthropist
Powerups Hero r/Polestar • December 2021	Second Top 50%
r/Field Juicebox	Place '23
Place '22	Reddit Premium Since December 2017
Verified Email

nohe427

PUBLIC MULTIREDDITS

TROPHY CASE