Firebase Security

Firestore security rules set to 'allow read, write: if true' give any user — authenticated or not — full access to read, create, modify, and delete all documents.

Firebase Realtime Database rules set '.read: true' and '.write: true' at the root level, allowing anyone on the internet to read and modify all data.

Firebase Cloud Storage rules allow any user to read, write, or delete files without authentication, exposing uploaded content and enabling file tampering.

Parent-level Firebase rules override restrictive child rules, unintentionally granting broader access than intended to nested collections and documents.

Firebase configuration (apiKey, projectId, databaseURL) is hardcoded in JavaScript bundles and publicly accessible, enabling attackers to interact with your Firebase services.

Firebase Authentication allows sign-up without email verification, enabling attackers to create unlimited accounts and abuse authenticated-only features.

Firebase Cloud Functions exposed as HTTP endpoints accept and process requests without verifying authentication tokens or validating input data.