A *.firebaseio.com endpoint is present. If the database rules are not locked down, the data is world-readable/writable.
How it's exploited
An embedded firebaseio.com endpoint invites the classic misconfiguration check: append /.json and see if the database answers without auth. Openly readable or writable Firebase RTDBs are found by scanners within hours.
Why it matters
If rules are weak, the entire realtime database (user records, chat, tokens) is publicly readable or writable.
How to fix it
Open the Firebase console and lock database rules: no public read/write; require auth and per-user paths.
Test the endpoint yourself: GET https://<db>.firebaseio.com/.json must return "permission denied".
Treat the URL itself as public knowledge; security must live in the rules, not obscurity.