As this project is using Firebase, despite it using randomized keys (which makes it seem like something vaguely "secure", in that other people probably would be unable to guess the key of your document and start messing with you or reading what you wrote), it is trivial to iterate and find all of the other documents people are editing by dumping the database.
To demonstrate, open up a JavaScript Console (such as the Chrome inspector or something; I assume this won't be problematic in other browsers, but it does involve a callback to an anonymous function typed into the console, and I don't do much JavaScript to know if that will cause some weird protected scope error in some browsers) and plug in the following:
new Firebase(Socrates.firebaseUrl).once('value', function(snapshot) {
var val = snapshot.val();
for (var i in val.documents) {
var doc = val.documents[i];
console.log(doc.id + ': ' + doc.title + '\n' + doc.body);
}
})
The output will be the identifiers, titles, and contents of every document in the database (including one which seems to be the developers of Socrates.io trying to come up with a way to charge for people using the beta, including examinations of which payment processor to use, etc.; I'm now quite curious if they realized that was public... it's not bad or anything).
hey, one of the authors here. We did realize this. This is a weekend hackathon project to allow the hacker news community to write nice clean markdown.
Firebase offers security, but we just didn't get around to using yet.
You shouldn't choose to use it for sensitive information, but for Github readmes and other already public content, it's a great tool.
Ok, when I was last talking to them[1], they did not have anything at all for security but a vague idea that it was important and a possible "would something like this work?" that was more about securing the API than the data ;P. Their FAQ still states they are working on it, but maybe they have something more in-depth now for the beta users (such as yourselves)?
The pretty sane and "simple" (easy to implement on the server, but difficult for developers to use correctly) way of doing it is something like StackMob or Parse's ACL feature (but even that tends to be misused, and as soon as data can be shared between users is almost impossible to get right without using custom server-side logic, which these kinds of companies are now supporting).
(FTR, I try to hit on these things pretty hard, as I'm highly concerned that these online middleware companies are short-changing the importance of security in the cloud, if not often in their implementations then almost always in their documentation and tutorials. I gave a talk at 360|iDev this year discussing solutions like StackMob and Parse, doing live demos of ripping keys out of apps and dumping their databases.)
(One of the apps I ran into--which I did not demo dumping data from during that talk ;P, although I did show a totally anonymized snippet of the kind of data it was storing--was an online dating matchup app that was storing all of its offline Facebook full-access auth tokens trivially accessible in StackMob, along with all of the "private" messages sent between the users... all of this despite the app supporting nicknames for "anonymity" and listing "security" as one of its defining features :(.)
(Firebase, to their extreme credit, is very honest about the fact that your data is all public: it is the very first question in their FAQ, and they state the situation 100% clearly and entirely outright. "However, it’s not ready for widespread use yet, so right now all data in Firebase is publicly accessible. Please keep this in mind when building apps!" <- emphasis is thankfully theirs, not mine ;P)
Saurik - We're glad that there are people like you searching for holes in services like Firebase. Hopefully it'll keep making all of us better. Please keep doing it.
As ivolo noted, we do have a security feature set we're testing. It has taken a little while to build something that is both functional and usable. We're pretty confident we've got something that our users will love.
Oh my god. That website has javascript that adds and removes a pipe "|" to the end of the page title, and it looks like a blinking caret for text input.
Looks like it only alternates between the two states (flashing and not flashing), so if the page is opened as a new tab (i.e. not focused to begin with) then the flashing occurs when the tab is not focused.
If I place it as an application tab in Firefox (16), it will highlight the tab because it assumes the content has changed... it doesn't happen always, though.
Congrats on your taking action. It puts you ahead of 90% of the people who read and don't execute.
A few questions....
*Is your project for fun or for profit?
If the latter, what pain does it alleviate, whom is it targeted towards and before you created it, was there any indication they wanted a solution strong enough to pay someone for the answer
That's because you're not an entrepreneur - fair enough. A person who wants to build a sustainable business however, has to solve urgent problems and generate profits for stakeholders (not relevant if you're a socialist).
A nice feature would be to be able to swap the planes so that you have the option to write on the right and have the formatted output on the left.
Mou, the great markdown editor on OS X, is also set up as this web app, with the formatted output on the right and the input area on the left, without an option to switch it.
Am I weird for wanting to type on the right? Is this some odd "handedness" issue? (I'm right handed)
Looks awesome, great job! One thing though: if you have a YT video embedded (like in the example) and you edit some text or whatever, the video keeps flashing. I'm guessing you are refreshing the whole right pane. It's rather annoying and creates needless requests to YT (not that they'd notice, but still).
In the interim (between my and your comments) they stopped doing that (the URLs are now relative to socrates.io, as opposed to being absolute off of raw.github.com).
It would be really nice, if Socrates had syntax highlighting for Markdown. I'd suggest using Ace, if it was not too much for that simple task. Maybe write your own? Also, I'd love if somebody made a simple Wordpress plugin for this type of writing. Relaxing and easy.
Nice! Small nit: If you're referencing an URL - i.e. [My text][1] and that URL happens to be a YouTube video, it removes the text and embeds the video. Probably not the desired effect.
Darn, my guess is it's flexbox weirdness, since Safari only supports the old spec. I tried to fallback to the old spec when possible, but that could be something that was never fixed since the old spec was abandoned... sorry about that!
To demonstrate, open up a JavaScript Console (such as the Chrome inspector or something; I assume this won't be problematic in other browsers, but it does involve a callback to an anonymous function typed into the console, and I don't do much JavaScript to know if that will cause some weird protected scope error in some browsers) and plug in the following:
The output will be the identifiers, titles, and contents of every document in the database (including one which seems to be the developers of Socrates.io trying to come up with a way to charge for people using the beta, including examinations of which payment processor to use, etc.; I'm now quite curious if they realized that was public... it's not bad or anything).