PTKDMobile App Security
Knowledge base / PTKD-PRIV-FIREBASE
medium M9 MASVS-STORAGE-2 static analysis PTKD-PRIV-FIREBASE

Firebase Realtime Database endpoint embedded

A *.firebaseio.com endpoint is present. If the database rules are not locked down, the data is world-readable/writable.

How it's exploited

An embedded firebaseio.com endpoint invites the classic misconfiguration check: append /.json and see if the database answers without auth. Openly readable or writable Firebase RTDBs are found by scanners within hours.

Why it matters

If rules are weak, the entire realtime database (user records, chat, tokens) is publicly readable or writable.

How to fix it

  1. Open the Firebase console and lock database rules: no public read/write; require auth and per-user paths.
  2. Test the endpoint yourself: GET https://<db>.firebaseio.com/.json must return "permission denied".
  3. Treat the URL itself as public knowledge; security must live in the rules, not obscurity.

References