Firebase Security Is Broken. Here's the Tool I Built to Fix It.

#cybersecurity #firebase #programming #security

A couple of months ago I was doing a few penetration tests recently when I encountered Firebase configurations. Each time, I found myself stringing together a bunch of cURL commands and one-off Python scripts to check for common misconfigurations. After the third engagement, I realised this was pretty inefficient.

I was looking for a tool where I could just set the configuration and run enumeration checks. Something like msfconsole but for Firebase. I couldn't find anything that fit the bill, so I built it myself.

The Problem

Firebase is incredibly popular - it powers millions of apps. But its security model is... tricky. The core issue is that Firebase uses declarative security rules. A single || operator in the wrong place can expose your entire database.

During pentests, I kept seeing the same patterns:

RTDB nodes readable without authentication
Firestore collections with open read rules
Cloud Storage buckets listing all files
Cloud Functions without proper auth checks

The Tea app breach is a perfect example - misconfigured Firestore rules exposed sensitive user data. This wasn't a sophisticated attack, it was just someone checking if default or weak rules were still in place.

What I Wanted

Coming from a pentesting background, I needed something that:

Works with minimal information (i.e. Just the projectID and web API key)
Tests comprehensively
Is safe by default (Won't accidentally damage production data)
Handles authentication properly
Scales to large wordlists

None of the existing tools checked all these boxes.

Introducing FireScan

FireScan is a tool designed for penetration testers and developers to audit the security posture of Firebase projects. It provides an interactive console to enumerate databases, test storage rules, check function security, and much more, all from a single, easy-to-use interface.

$ firescan
███████╗██╗██████╗ ███████╗███████╗ ██████╗ █████╗ ███╗   ██╗
██╔════╝██║██╔══██╗██╔════╝██╔════╝██╔════╝██╔══██╗████╗  ██║
█████╗  ██║██████╔╝█████╗  ███████╗██║     ███████║██╔██╗ ██║
██╔══╝  ██║██╔══██╗██╔══╝  ╚════██║██║     ██╔══██║██║╚██╗██║
██║     ██║██║  ██║███████╗███████║╚██████╗██║  ██║██║ ╚████║
╚═╝     ╚═╝╚═╝  ╚═╝╚══════╝╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝

FireScan v1.0 - The Firebase Security Auditor

firescan > set projectID my-app-12345
firescan > set apiKey AIza...
firescan > auth --create-account
✓ Successfully authenticated
firescan > scan --all
Key Features

Example

Here's a real scenario from a recent test without the real data:

firescan > set projectID example-app-abc123 
firescan > set apiKey AIzaSy... 
firescan > auth --create-account
firescan > scan --firestore -l all
[✓] Scanning... [Checked: 200/200 | Found: 4]

[Firestore] Vulnerability Found! ├── Timestamp: 2025-01-15T10:23:45Z ├── Severity: High ├── Type: Firestore └── Path: users

[Firestore] Vulnerability Found! ├── Timestamp: 2025-01-15T10:23:47Z ├── Severity: High ├── Type: Firestore └── Path: messages

firescan > extract --firestore --path users 
{ "documents": 
    [ { "DOCUMENT_ID": "user_12345", "email": "john.doe@example.com", "name": "John Doe", ... } ] 
}

In under 2 minutes, I found two readable collections and extracted the data. Without FireScan, this would have taken me 20 minutes of manual curl commands.