Firebase - Enable email enumeration protection on all of your Firebase projects

[robert-dm]

Hi Hack4Impact,We’re writing to let you know that to increase the default protection against email enumeration attacks, all new projects created after September 15, 2023 will now have email enumeration protection enabled. Additionally, we recommend you to enable email enumeration protection on your existing projects as soon as possible.What do you need to know?Email enumeration is a type of brute-force attack in which a malicious actor attempts to guess or confirm users in a system by passing an email address to the API and checking the response. Starting September 15, 2023, we’ve enabled email enumeration protection on all new projects. Existing projects were unchanged, but it is recommended that you enable this protection on all existing projects to protect your apps against credential stuffing attacks.What do I need to do?We highly recommend enabling email enumeration protection on all your projects after testing with your app.If you currently utilize fetchSignInMethodsForEmail (doc examples: Java, JS, Swift), your projects will be affected. When email enumeration is enabled, the fetchSignInForEmail API will fail. Linking anonymous authenticated users with an email address will also not work prior to SDK version 22.3.0 for Android, 10.18.0 for iOS, and 10.6.0 for Web.A full list of affected flows is also available for review.Additionally, FirebaseUI libraries first run fetchSignInMethodsForEmail before allowing a user to sign in with their preferred method. If you have a dependency on the library, you should evaluate impact before enabling email enumeration detection. Once FirebaseUI libraries are updated (issue 1, issue 2, issue 3, issue 4), you should enable email enumeration protection.One or more of your projects have Firebase Auth or Google Cloud Identity Platform enabled.We’re here to helpIf you have any additional questions, please look through our documentation center.Thanks,Micah on behalf of the Firebase team

Firebase Console
Hi Hack4Impact,
We’re writing to let you know that to increase the default protection against email enumeration attacks, all new projects created after September 15, 2023 will now have email enumeration protection enabled. Additionally, we recommend you to enable email enumeration protection on your existing projects as soon as possible.

What do you need to know?
Email enumeration is a type of brute-force attack in which a malicious actor attempts to guess or confirm users in a system by passing an email address to the API and checking the response. Starting September 15, 2023, we’ve enabled email enumeration protection on all new projects. Existing projects were unchanged, but it is recommended that you enable this protection on all existing projects to protect your apps against credential stuffing attacks.

What do I need to do?
We highly recommend enabling email enumeration protection on all your projects after testing with your app.

If you currently utilize fetchSignInMethodsForEmail (doc examples: Java, JS, Swift), your projects will be affected. When email enumeration is enabled, the fetchSignInForEmail API will fail. Linking anonymous authenticated users with an email address will also not work prior to SDK version 22.3.0 for Android, 10.18.0 for iOS, and 10.6.0 for Web.

A full list of affected flows is also available for review.

Additionally, FirebaseUI libraries first run fetchSignInMethodsForEmail before allowing a user to sign in with their preferred method. If you have a dependency on the library, you should evaluate impact before enabling email enumeration detection. Once FirebaseUI libraries are updated (issue 1, issue 2, issue 3, issue 4), you should enable email enumeration protection.

One or more of your projects have Firebase Auth or Google Cloud Identity Platform enabled.

We’re here to help
If you have any additional questions, please look through our documentation center.

Thanks,
Micah on behalf of the Firebase team