Multiple Apps on Google’s Firebase Platform Exposing Sensitive Data

A comprehensive security analysis has revealed a widespread vulnerability affecting Firebase-powered mobile applications, with over 150 popular apps inadvertently exposing sensitive user data through misconfigured Google Firebase services.

The scope of this security crisis dwarfs previous incidents, potentially affecting thousands of applications with millions of downloads worldwide.

Security researcher analysis of approximately 1,200 mobile applications from just three app categories revealed alarming security gaps in Firebase implementations.

Among apps using Firebase services—which comprises roughly 80% of all mobile applications—over 150 were found to allow completely unauthenticated access to critical data stores including Realtime Databases, Storage Buckets, Firestore databases, and Remote Configuration secrets.

The exposed applications aren’t obscure programs with minimal user bases. Many of the vulnerable apps boast download counts exceeding 100,000, with numerous applications reaching 1 million, 5 million, 10 million, 50 million, or even 100 million downloads.

This scale significantly surpasses the Tea app data breach, which affected only 500,000+ downloads.

We can use the following Google API to access the PROJECT_ID.appspot.com storage bucket:

The implications become more concerning when extrapolated across all app categories. With only three of 32-34 total app categories analyzed, researchers estimate approximately 4,800 Firebase services could potentially be accessed without authentication, containing vast amounts of sensitive user data.

Types of Exposed Sensitive Information

The variety and sensitivity of exposed data is staggering. Researchers discovered payment processing details, comprehensive user personal information, millions of unique identifiers, private messaging conversations, cleartext passwords alongside encrypted credentials, user prompts and queries, and high-privilege GitHub and Amazon Web Services tokens.

The Firebase Admin SDK docs states that this used to be the old format for Realtime databases created before September 2020.

These discoveries highlight how Firebase misconfigurations can expose not just user data, but critical infrastructure access credentials that could enable broader organizational compromises.

The primary vulnerability stems from Firebase’s “test mode” configuration option. When developers initialize Firebase Storage, Realtime Database, or Firestore services, they can choose between production mode—where data remains private by default—or test mode, which makes data publicly accessible for 30 days to facilitate rapid development.

Particularly concerning were findings of AWS root account access tokens and GitHub tokens providing complete repository control.

Initially, these keys and IDs are automatically generated from the google-services.json file during build time.

Firebase explicitly warns developers that test mode security rules “allow anyone with your storage bucket reference to view, edit and delete all data in your storage bucket for the next 30 days.”

However, many developers simply extend these permissive rules beyond the 30-day period rather than implementing proper security configurations.

Additional contributing factors include inadequate understanding of Firebase security rules best practices and reliance on insecure code examples that suggest overly permissive access controls for testing purposes.

To address limitations in existing Firebase security tools, researchers developed OpenFirebase, an automated security scanner capable of extracting Firebase configurations from mobile app packages (APKs) and testing for unauthorized access across multiple services simultaneously.

Unlike existing tools that typically check only single services using limited methods, OpenFirebase comprehensively scans Firebase Storage, Realtime Databases, Remote Config, and Firestore services across various URL formats and permission combinations. The tool can process individual apps or conduct mass analysis across thousands of applications.

Service-Specific Vulnerability Findings

Firebase Storage: Among 937 scanned projects, 44 storage buckets allowed public access, with 386 properly protected and 507 returning “not found” errors.

One notable case involved an application with 100+ million downloads storing user ID photos accessible without authentication.

Realtime Databases: Analysis revealed 35 publicly accessible databases among 937 projects, with 277 properly protected, 467 not found, and 158 locked or deactivated.

Exposed databases contained user credentials, chat conversations, location coordinates, and other sensitive personal information.

Remote Config: The most widespread exposure involved 383 publicly accessible remote configurations, with only 61 properly protected. While Remote Config exposure isn’t inherently problematic, approximately 30 instances contained hardcoded secrets, API keys, and authentication tokens.

Firestore: Researchers identified 50 projects with publicly accessible Firestore databases among 929 scanned, with 675 properly protected and 122 in Datastore mode. Twenty-four specific collections were identified as openly accessible.

The Firebase security crisis represents a systemic issue affecting the mobile app ecosystem’s foundation.

With Firebase powering approximately 80% of mobile applications, these widespread misconfigurations create an extensive attack surface threatening millions of users’ sensitive data.

Organizations using Firebase must immediately audit their security configurations and implement proper access controls to prevent unauthorized data exposure.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.