Firebase

Overview

Firebase is a Backend-as-a-Service (BaaS) platform by Google. Misconfigurations can lead to data exposure, unauthorized access, and account takeover.

Common Misconfigurations

Insecure Realtime Database

# Test for open database (no authentication required)
curl https://PROJECT-ID.firebaseio.com/.json

# If returns data = VULNERABLE
# If returns "Permission Denied" = properly configured

# Test for write access
curl -X PUT -d '{"test": "data"}' https://PROJECT-ID.firebaseio.com/test.json

# Test with shallow query (list keys only)
curl "https://PROJECT-ID.firebaseio.com/.json?shallow=true"

Insecure Cloud Firestore

Insecure Storage Buckets

Enumeration

Finding Firebase Projects

API Key Extraction

Exploitation

Database Data Exfiltration

Authentication Bypass

Write Access Exploitation

Cloud Functions Exploitation

Tools

Python Connector

Security Rules Analysis

Reporting Findings

When reporting Firebase misconfigurations:

1. Data Exposure: Document what data is accessible (PII, credentials, etc.)

2. Write Access: Demonstrate ability to modify data (use test entries)

3. Impact: Explain business impact (data breach, service disruption)

4. Remediation: Recommend proper security rules

Resources

• Firebase Security Rules Documentation

• Firebase Security Checklist

• OWASP Mobile Security Testing Guide - Firebase