Recent investigations have uncovered that numerous mobile applications are inadvertently exposing sensitive user data due to misconfigured Google Firebase services. These misconfigurations allow unauthorized access to databases, storage buckets, Firestore collections, and Remote Config secrets, posing significant security risks.
Discovery of the Issue
On September 16, 2025, security researcher Mike Oude Reimer revealed that approximately 150 Firebase endpoints in top-ranked mobile apps were accessible without authentication. This exposure included user credentials, private messages, and high-privilege API tokens, highlighting systemic weaknesses in Firebase security configurations.
Exploitation by Attackers
Following this disclosure, analysts observed a surge in automated scanning tools exploiting these vulnerabilities. Attackers utilized these tools to harvest millions of records by extracting Firebase project IDs from app APK files or known naming conventions and probing service endpoints for open permissions.
Root Causes of Misconfigurations
The primary cause of these exposures is the improper configuration of Firebase security rules. Developers often select Firebase’s test mode during initial setup, which grants public read and write access for 30 days. Many developers either forget to implement proper security rules after this period or extend the permissive configuration, leaving production environments vulnerable.
Extent of Data Exposure
The impact of these misconfigurations is extensive. Exposed storage buckets have contained millions of user ID photos, cleartext passwords, and even AWS root access tokens. In one instance, a storage bucket belonging to an app with over 100 million downloads was discovered hosting user ID photos, allowing attackers to compile vast identity databases. Misconfigured Realtime Databases revealed private chat logs and geolocation information, while Remote Config endpoints exposed private API keys for third-party services.
Technical Exploitation Methods
Attackers employ scanning tools like OpenFirebase to parse Android Package Kit (APK) files, extracting Firebase project IDs, API keys, and Google App IDs. These identifiers are used to construct service URLs and issue requests to determine if databases are publicly accessible. For example, a simple GET request appending `.json` to the endpoint can reveal if a Realtime Database is public. Similarly, for Remote Config, attackers extract the `google_api_key` and `google_app_id` from `strings.xml` before constructing a POST request to the Remote Config API.
Historical Context
This is not the first time Firebase misconfigurations have led to data exposures. In 2018, research from Appthority revealed that 3,000 mobile iOS and Android apps leaked over 100 million records of user data due to unprotected Firebase databases. These records included plain text passwords, user IDs, and other sensitive information. Similarly, in 2020, Comparitech discovered that thousands of Android applications were leaking sensitive information due to Firebase misconfigurations, affecting apps with a combined download count of more than 4.22 billion.
Recommendations for Developers
To mitigate these risks, developers should:
– Implement Proper Security Rules: Avoid using test mode in production environments and ensure that security rules are correctly configured to restrict unauthorized access.
– Regularly Audit Configurations: Periodically review and update Firebase security settings to identify and rectify misconfigurations.
– Utilize Firebase’s Security Features: Leverage Firebase’s built-in security features, such as authentication and rule-based authorization, to protect user data.
– Educate Development Teams: Provide training on secure coding practices and the importance of proper configuration to prevent inadvertent data exposures.
Conclusion
The widespread exposure of sensitive user data due to misconfigured Firebase services underscores the critical need for developers to prioritize security in their application development processes. By implementing proper security measures and regularly auditing configurations, developers can protect user data and maintain trust in their applications.
