Level 10
"More than 4,000 Android apps that use Google's cloud-hosted Firebase databases are 'unknowingly' leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.

The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.

"4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users' personal information, access tokens, and other data without a password or any other authentication," Comparitech said."

More on this - Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases

There was a similar security issue with Firebase in 2018 - Security Alert - 3,000+ mobile apps leaking data from unsecured Firebase databases


Staff member
If it's easy to get wrong, then it's developed to be insecure by default.
This question from a developer who got a warning email from Google received an answer from Firebase engineer Frank van Puffelen, who explained that simply requiring authentication is insufficient.

"If you enable any auth provider in Firebase Authentication, anyone can sign in to your back-end, even without using your app. Depending on the provider, this can be as easy as running a bit of JavaScript in your browser's developer console. And once they are signed in, they can read and write anything in your database."

Firebase configuration is, it seems, easy to get wrong.
It's quite common that these server services are misconfigured leaking all sorts of sensitive data, Amazon, Google and others all enjoy this.