In 2017, Appthority — which was acquired by Symantec — which was acquired by Broadcom, uncovered a very nasty threat to Firebase apps. This wasn’t caused by a loophole in Firebase itself, but by the old classic human negligence. In 2018, over 3000 apps were discovered to be leaking over 100 million exposed records from misconfigured Firebase backend databases. Imagine how rich you’d be if that was in dollars. Their Mobile Threat Team aptly named this type of backend exposure HospitalGown.
By default, security rules on Firebase databases are open for all.
It’s left to the developer to properly configure rules for every table. Follow me as I dive deep into what happened, why, what could still happen, and what we can do about it. …