保護DataHogo
Security Encyclopedia/Firebase Security
mediumCWE-798

Firebase API Key Exposed in Code

Firebase configuration (apiKey, projectId, databaseURL) is hardcoded in JavaScript bundles and publicly accessible, enabling attackers to interact with your Firebase services.

How It Works

Firebase requires a configuration object with apiKey, authDomain, projectId, and other values embedded in client-side code. While Google states the API key alone is not a security risk, it becomes dangerous when combined with weak security rules. Attackers extract the config from the JavaScript bundle and use it to authenticate anonymously, query Firestore/RTDB, upload to Storage, or call Cloud Functions. The API key also enables abuse like sending push notifications or consuming quota on Firebase services.

Vulnerable Code
// Hardcoded in source, no App Check
const firebaseConfig = {
  apiKey: 'AIzaSyD1234567890abcdefg',
  authDomain: 'my-app.firebaseapp.com',
  projectId: 'my-app-12345',
  storageBucket: 'my-app-12345.appspot.com'
};
const app = initializeApp(firebaseConfig);
Secure Code
// Config from environment + App Check enabled
const firebaseConfig = {
  apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,
  authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,
  projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,
  storageBucket: process.env.NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET
};
const app = initializeApp(firebaseConfig);
initializeAppCheck(app, {
  provider: new ReCaptchaV3Provider(process.env.NEXT_PUBLIC_RECAPTCHA_KEY),
  isTokenAutoRefreshEnabled: true
});

Real-World Example

In 2023, researchers demonstrated that exposed Firebase API keys combined with open security rules allowed them to access data from thousands of apps. Tools like Pyrebase and firebase-exploiter automate the process of discovering and exploiting exposed Firebase configurations.

How to Prevent It

  • Enable Firebase App Check to verify requests come from your app
  • Restrict API key usage in Google Cloud Console to specific APIs and domains
  • Always enforce proper security rules regardless of API key exposure
  • Monitor Firebase usage for anomalous patterns indicating unauthorized access

Affected Technologies

FirebaseNode.jsReactMobile

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Firestore Rules Allow Read/Write True

critical

Firestore security rules set to 'allow read, write: if true' give any user — authenticated or not — full access to read, create, modify, and delete all documents.

CWE-862

Realtime Database Without Authentication

critical

Firebase Realtime Database rules set '.read: true' and '.write: true' at the root level, allowing anyone on the internet to read and modify all data.

CWE-862

Firebase Storage Rules Permissive

high

Firebase Cloud Storage rules allow any user to read, write, or delete files without authentication, exposing uploaded content and enabling file tampering.

CWE-732

Cascading Rules Misconfigured

high

Parent-level Firebase rules override restrictive child rules, unintentionally granting broader access than intended to nested collections and documents.

CWE-863