Firebase CLI Installer Making Calls to Google Analytics
Firebase is a mobile and web application development platform provided by Google. One of the tools available for the platform is the Firebase CLI tool (GitHub repo) which helps developers interact with the platform from command line. An automatic install script is offered among other options, which allows installation of the CLI tool via the “curl | bash” pattern as follows:
As part of our ongoing research into supply chain attacks, we have been looking into bash installer scripts that make calls to external systems. First, there is no way to verify that the installer is legit, However, to our surprise, we also found that this script makes calls to Google Analytics as part of the installation process. There is no sensitive data being collected but Google may still be collecting IP addresses of users installing the CLI. The source code for the installer script can be found here:
While this can be disabled, the documentation to do so is hard to find and is embedded within the installer script itself. We hope that Google will make this documentation more clear in the future. In any case, here is the documentation:
Leave a Comment
Related Posts
/cdn.vox-cdn.com/uploads/chorus_asset/file/25416391/STK473_NET_NEUTRALITY_CVIRGINIA_C.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25415669/1238020424.jpg)
