保護DataHogo
Security Encyclopedia/Firebase Security
mediumCWE-287

Firebase Auth Without Restrictions

Firebase Authentication allows sign-up without email verification, enabling attackers to create unlimited accounts and abuse authenticated-only features.

How It Works

Firebase Authentication by default allows anyone to create accounts without email verification. This means an attacker can programmatically create thousands of accounts using fake emails and gain authenticated access to your app. Many security rules check only 'request.auth != null', which these fake accounts satisfy. Without email verification, password reset abuse, and account enumeration become easier. Attackers can also sign up with disposable email addresses to spam, abuse free tiers, or manipulate platform features like voting or reviews.

Vulnerable Code
// No email verification required
const userCredential = await createUserWithEmailAndPassword(
  auth, email, password
);
// User immediately has full access
await setDoc(doc(db, 'users', userCredential.user.uid), {
  email, createdAt: new Date()
});
Secure Code
const userCredential = await createUserWithEmailAndPassword(
  auth, email, password
);
await sendEmailVerification(userCredential.user);
// In security rules, check emailVerified:
// allow write: if request.auth != null
//   && request.auth.token.email_verified == true;

Real-World Example

A social media startup using Firebase saw 50,000 fake accounts created in one week by bots. The accounts were used to post spam and manipulate trending algorithms. The app only checked 'auth != null' in rules, so all fake accounts had full write access.

How to Prevent It

  • Enable email verification and check email_verified in security rules
  • Add rate limiting on account creation endpoints
  • Use Firebase App Check to prevent automated sign-ups
  • Implement CAPTCHA on registration forms

Affected Technologies

FirebaseNode.jsReactMobile

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Firestore Rules Allow Read/Write True

critical

Firestore security rules set to 'allow read, write: if true' give any user — authenticated or not — full access to read, create, modify, and delete all documents.

CWE-862

Realtime Database Without Authentication

critical

Firebase Realtime Database rules set '.read: true' and '.write: true' at the root level, allowing anyone on the internet to read and modify all data.

CWE-862

Firebase Storage Rules Permissive

high

Firebase Cloud Storage rules allow any user to read, write, or delete files without authentication, exposing uploaded content and enabling file tampering.

CWE-732

Cascading Rules Misconfigured

high

Parent-level Firebase rules override restrictive child rules, unintentionally granting broader access than intended to nested collections and documents.

CWE-863