Hack Any Outlook Account in Firebase Apps – Zero-Click Email Verification
1•vrajshroff•2h ago
If your app uses Firebase Auth email verification, enterprise Outlook users protected by Microsoft Defender Safe Links may already be getting their accounts auto-verified — without them ever opening an email. That flip of emailVerified = true can silently enable attackers to impersonate employees, trigger payouts, reset credentials, or walk through internal onboarding flows. This is a huge trust collapse between two widely used security features.
Comments
vrajshroff•2h ago
What’s fascinating here is that two “secure” systems — Microsoft’s Safe Links and Firebase Auth — combine to break security.
It’s the perfect example of layered defenses interacting in unexpected ways.
Should email verification ever be trusted as proof of ownership in 2025, or is it time we move away from link-based auth entirely?
vrajshroff•2h ago
It’s the perfect example of layered defenses interacting in unexpected ways.
Should email verification ever be trusted as proof of ownership in 2025, or is it time we move away from link-based auth entirely?