Quite a few cell functions have been discovered to show essential consumer data via misconfigured Firebase companies, permitting unauthenticated attackers to entry databases, storage buckets, Firestore collections, and Distant Config secrets and techniques.
This widespread subject first got here to mild when safety researcher Mike Oude Reimer revealed findings on 16 September 2025, demonstrating that roughly 150 totally different Firebase endpoints in top-ranked cell apps had been accessible with none authentication.
These exposures ranged from consumer credentials and personal messages to high-privilege API tokens, underscoring a systemic weak spot in how builders configure Firebase safety guidelines.
Within the weeks following the preliminary disclosure, ice0 analysts recognized a surge in automated scanning instruments exploiting this vulnerability, with attackers harvesting hundreds of thousands of information in bulk.
These instruments depend on extracting Firebase challenge IDs from app APK recordsdata or identified naming conventions, then probing numerous service endpoints for open permissions.
Though Firebase warns builders that test-mode configurations expire after 30 days, many groups prolong these insecure guidelines or inadvertently go away manufacturing environments in check mode.
The result’s an expansive assault floor that miscreants can exploit with minimal effort, jeopardizing each enterprise and shopper knowledge.
The affect extends past trivial sources corresponding to public pictures or non-sensitive flags.
At scale, uncovered storage buckets have contained hundreds of thousands of consumer ID images, cleartext passwords, and even AWS root entry tokens.
In a single occasion, a storage bucket belonging to an app with over 100 million downloads was found internet hosting consumer ID images, permitting attackers to compile huge id databases.
Equally, misconfigured Realtime Databases revealed personal chat logs and geolocation data, whereas Distant Config endpoints uncovered personal API keys for third-party companies.
ice0 analysts famous that many of those leaks went unreported or had been dismissed as non-issues till full datasets had been downloaded and inspected.
The next part explores the an infection mechanism leveraged by scanning instruments to enumerate and exploit Firebase companies, specializing in APK extraction, endpoint discovery, and unauthenticated knowledge retrieval.
An infection Mechanism: APK Evaluation and Endpoint Enumeration
Scanning instruments like OpenFirebase start by parsing Android Bundle Package (APK) recordsdata to extract Firebase challenge IDs, API keys, and Google App IDs from the compiled res/values/strings[.]xml and bundled google-services[.]json.
These identifiers function the first inputs for setting up service URLs. For instance, to retrieve a Realtime Database, the scanner points a easy GET request appending [.]json to the endpoint:
curl – s https[:]//PROJECT_ID-default-rtdb[.]firebaseio[.]com/[.]json
If the response returns HTTP 200 OK and JSON content material, the database is flagged as public. In circumstances the place the database resides in a unique area, the preliminary request returns a JSON error containing the right regional endpoint, which the instrument makes use of to reissue the request.
Two-step lookup ensures complete protection (Supply – ice0)
This two-step lookup ensures complete protection with out brute-forcing each attainable area variation.
For Distant Config, scanners extract each the google_api_key and google_app_id from strings[.]xml earlier than setting up a POST request to the Distant Config API:
curl – s – X POST
– H “Content material-Sort: software/json”
– d ‘{“appId”:”GOOGLE_APP_ID”,”appInstanceId”:”any”}’
“https[:]//firebaseremoteconfig[.]googleapis[.]com/v1/tasks/PROJECT_ID/namespaces/firestore[:]fetch”
A profitable 200 OK response containing configuration knowledge or secrets and techniques confirms unauthenticated entry to Distant Config entries.
Some configurations embody the NOTEMPLATE error when no config exists, permitting scanners to distinguish between protected and empty endpoints.
By automating APK decompilation with instruments like JADX and iterating via Firestore assortment names—both extracted from code references or guessed by way of wordlists—attackers can enumerate public Firestore cases.
Github token (Supply – ice0)
A question to a non-existent assortment returns an empty JSON array somewhat than an authentication error, signaling vulnerability with out prior information of assortment names.
This an infection mechanism, combining APK metadata extraction with focused API calls, highlights how minimal data disclosure can result in full knowledge leakage. Organizations counting on
Firebase should implement strict safety guidelines, audit test-mode expirations, and take away hardcoded keys to forestall these automated assaults.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
