2

My app is in internal testing and has 2 testers. But the console shows up random user emails in the firestore auth console.

enter image description here

I need to know where do these emails come from

Doug Stevenson
  • 268,359
  • 30
  • 341
  • 380
johnrao07
  • 6,253
  • 3
  • 29
  • 50
  • I don't have any more details to add. The random emails shows up after I roll-out update in the internal test track – johnrao07 Oct 04 '20 at 12:00
  • This seems to be issue which may require further investigation from a support representative, and may require the handling of personal information. This may be a security issue or a possible internal issue and would require further investigation from the Firebase support team. I would recommend submitting a inquiry with the [Firebase Support](https://firebase.google.com/support/troubleshooter/contact) team in order to appropriately investigate this issue. – KevinH Oct 07 '20 at 00:14
  • Did you disclose your Firebase apiKey to some potentially malicious users? While it is not a security thread to disclose it (see https://stackoverflow.com/a/37484053/3371862) you need to know that someone with your project apiKey can very easily create as many users as they want in your Authentication service, e.g. by using the Auth REST API. See https://firebase.google.com/docs/reference/rest/auth#section-create-email-password. Note also that it is not very difficult to reverse engineer your app to find the apiKey. For example with a SPA web app it’s a matter of seconds. – Renaud Tarnec Oct 07 '20 at 02:21
  • @RenaudTarnec I can confirm that the random emails show up right after I rollout the internal test. There is no way to use the app and data with the google auth, I think it can be testing emails from google play dev team? – johnrao07 Oct 07 '20 at 21:16
  • @KevinH I will reach out to the support team in a few days if I don't get any answers here – johnrao07 Oct 07 '20 at 21:17
  • these are the people who check your app before approval in google play console. it happens in my app as well everytime i publish a new release i see a new account pop up. you could add test account crenetials in you play console. – Harkal Oct 10 '20 at 22:20
  • @johnrao07 Did you achieve to understand where these emails come from? I have the same problem. dozens of emails all formatted like this: johndoe.12345@gmail.com. I suspect that this comes from a sort of automated testing from the play store. But I'd like to confirm it. – BbL Sep 04 '21 at 20:52
  • This was a surprise to me too. I had just implemented Google auth, published to internal testing only, and then three random accounts popped in. Any answers come up? – jbryanh Feb 21 '22 at 22:44
  • Happened to me too. Very creepy. – Abushawish Apr 25 '22 at 05:01

0 Answers0