In 2017, Appthority — which was acquired by Symantec — which was acquired by Broadcom, uncovered a very nasty threat to Firebase apps. This wasn’t caused by a loophole in Firebase itself, but by the old classic human negligence. In 2018, over 3000 apps were discovered to be leaking over 100 million exposed records from misconfigured Firebase backend databases. Imagine how rich you’d be if that was in dollars. Their Mobile Threat Team aptly named this type of backend exposure HospitalGown.

By default, security rules on Firebase databases are open for all.

Image for post
Image for post
Set awon olosho geng

It’s left to the developer to properly configure rules for every table. Follow me as I dive deep into what happened, why, what could still happen, and what we can do about it. …


Aliyu Yisa

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store