Well, I was just thinking that if someone produces the same look and feel and sends an email to the…
Osama Sayed

You can limit firebase to access from only a certain domains. Even though you can get around it using server-side code, the browser environment on a user’s computer accessing a different domain will not be able to connect to your firebase database directly.

So, in order to capture a user’s password, they’ll need to intercept it on their own server and then route it to the firebase by pretending to be the same domain as yours.

How’s that any different from a regular phishing attack, where say you have your own Web API layer.

Hopefully, this answers your Q. Or maybe I’m missing the exact scenario you have in your mind and I didn’t fully understand it.

Let me know and keep the feedback coming.