I keep trying to be optimistic with Fastgen, but each time I look more into it, I’m finding serious problems.
It appears that all users share the same database instance, which means as soon as there is a problem with one customer, then everyone suffers.
This reminds me of back in the day when you would sign up for dollar hosting and your account would be packed in with thousands of other users on the same server.
this is the case for many managed services at starter levels, especially for providers that are built on top of other cloud providers. Even in the relatively new serverless trend everybody is packed with everybody else for microseconds executions.
Usually these services have a higher level subscription that will isolate you from other customers when you reach a level where it’s necessary.
Talk with their support, I’m sure they can tell you what are all the options.
Fastgen is first-class for APIs and second-class for database hosting even at higher levels. This is something they are working on. (And to their credit, they are pushing out improvements at a pretty brisk pace)
If you want to be top tier the whole way through today, using supabase for the model and then fastgen for the controller (API) layer has a lot be said for it.
Yeah, imo you should talk to them instead, they have a dedicated slack 
Using supabase for the database sounds interesting. Although I find it weird to even offer a database if the recommendation is to not use it.
I’m also very worried about security.
Very easily, I’m able to see that Fastgen has 3102 databases, which I’m assuming means 3102 users.
The total size across all databases is 37gb.
The top 3 databases in size are: (using XXXXX to mask ids)
d8479031-17b8-4099-a692-8af10aXXXXX - 2418mb
ec7914ea-06c3-4f30-9d2b-5965e6aXXXXX - 1897mb
62550566-0c7e-426e-855f-192f5f6XXXXX - 1454mb
Isn’t this an issue? This was just after a few minutes of poking around. I’m sure there are plenty of other problems.
I’m concerned that any data I put in fastgen has a high likelihood of being compromised.
How did you get those stats on the databases in fastgen? THat’s interesting content.
Hi @NoCode4Life,
Lukas from Fastgen here.
Thanks for asking that. It depends a bit on what plan you are on. Usually, free plans that were just created are on a shared database.
From a certain stage, some customers move to a dedicated database. You are free to connect your own database if you want (e.g. supabase) to have full control over the resources you need.
But you are right. You shouldn’t be able to see the amount of storage of other databases on the same subcluster. We have notified our DevOps team to take a look at this.
Best
That’s actually some bold claims, do you have something to back it up? I’d be interested as well into the legitimacy of the claims / how you got this : - )
Yes these are bold claims because they are true.
All accounts have this vulnerability. I’m not doing any hacking. I’m doing basic SQL within my own account.
To shed some light on how simple this is, I’ll share the queries. Hopefully this results in some better security.
SELECT datname,concat(pg_database_size(datname)/1048576,‘mb’)
FROM pg_database
WHERE datname NOT IN (‘rdsadmin’)
order by pg_database_size(datname) desc;
SELECT count(datname)
FROM pg_database
WHERE datname NOT IN (‘rdsadmin’);
SELECT concat(sum(pg_database_size(datname)/1048576),‘mb’)
FROM pg_database
WHERE datname NOT IN (‘rdsadmin’);
I just tested this and unfortunately it is true. I can see all the users who are using the same AWS Postgres Instance as me any any one of them can affect the performance of my environment with badly written SQL 
I have seen performance of Fastgen degrade over time so could be related.
What is more disturbing, is I can see who is online and what SQL they are executing by this command.
SELECT datname, query
FROM pg_stat_activity;
Hello Everyone,
I’m Constantin, CTO at Fastgen. We’ve been closely monitoring this thread since its inception and are grateful these issues have been brought to our attention. In response, we’ve already implemented fixes for the vulnerabilities highlighted.
To clarify and reassure:
While it was possible to access metadata about other databases in the same cluster, at no point was the data in tables accessible. As an immediate step, we’ve restricted most of this visibility to further safeguard user privacy and are actively working on more comprehensive DB isolation going forward.
Regarding the method of disclosure: Responsible reporting of security concerns is something we strongly advocate for. The individual who brought up these issue, appears to have dedicated many hours over a span of 16 days to conducting extensive testing focused solely on finding vulnerabilities, without engaging in any other use of our platform. While this effort has undeniably highlighted areas for improvement, we believe that a more direct and secure approach would have been more effective.
Communicating these findings directly to our team would have led to a faster and more controlled resolution, mitigating any unnecessary concern for other users.Additionally, we’ve observed new accounts appearing in our community Slack, created with temporary emails, solely to share this thread and alarm users while claiming to be someone else. This pattern of behaviour, including the exclusive use of temporary emails and VPNs, combined with a singular focus on uncovering vulnerabilities over such an extended period, does raise some concerns about the intentions behind these actions.
To @Nocode4Life: If your aim is to genuinely help improve Fastgen’s security, I encourage you to reach out to me directly at constantin@fastgen.com. We value constructive feedback and are dedicated to addressing security issues in a collaborative and transparent manner.
Free pentesting
Hi Constantin. I’m sorry for my translated English.
But I would like to understand better what Fastgen would be, as I found it very interesting and easy to use.
But I still haven’t understood if it would be a competitor to Xano and Supabase, or if they would be more focused on Make or BuildShip.
