Hack Any Outlook Account in Firebase Apps – Zero-Click Email Verification
Key topics
A security vulnerability in Firebase Auth email verification can silently verify enterprise Outlook users' accounts without their interaction, potentially allowing attackers to impersonate employees. The discussion highlights the trust collapse between Firebase and Microsoft Defender Safe Links.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
3m
Peak period
1
0-1h
Avg / period
1
Key moments
- 01Story posted
Oct 27, 2025 at 10:01 PM EDT
2 months ago
Step 01 - 02First comment
Oct 27, 2025 at 10:04 PM EDT
3m after posting
Step 02 - 03Peak activity
1 comments in 0-1h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 27, 2025 at 11:28 PM EDT
2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
It’s the perfect example of layered defenses interacting in unexpected ways.
Should email verification ever be trusted as proof of ownership in 2025, or is it time we move away from link-based auth entirely?