保護DataHogo
Security Encyclopedia/Firebase Security
criticalCWE-862

Firestore Rules Allow Read/Write True

Firestore security rules set to 'allow read, write: if true' give any user — authenticated or not — full access to read, create, modify, and delete all documents.

How It Works

Cloud Firestore uses security rules to control access to documents and collections. The rule 'allow read, write: if true' grants unrestricted access to everyone. Firebase projects start with this rule in test mode, but developers often forget to change it before going to production. Since Firebase config (apiKey, projectId) is public and embedded in the frontend, anyone can use the Firebase SDK to connect and perform any operation on any document. Attackers can exfiltrate all data, delete collections, or inject malicious content.

Vulnerable Code
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}
Secure Code
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth != null
        && request.auth.uid == userId;
    }
    match /posts/{postId} {
      allow read: if true;
      allow write: if request.auth != null
        && request.auth.uid == resource.data.authorId;
    }
  }
}

Real-World Example

In 2020, security researchers from Comparitech found 24,000 Firebase databases exposed due to open rules. They contained 4.22 billion records including plaintext passwords, health records, financial transactions, and GPS coordinates from apps with millions of users.

How to Prevent It

  • Never deploy with 'allow read, write: if true' rules
  • Always require request.auth != null for authenticated operations
  • Scope write access to document owners using request.auth.uid
  • Use the Firebase Emulator to test rules before deploying

Affected Technologies

FirebaseNode.jsReactMobile

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Realtime Database Without Authentication

critical

Firebase Realtime Database rules set '.read: true' and '.write: true' at the root level, allowing anyone on the internet to read and modify all data.

CWE-862

Firebase Storage Rules Permissive

high

Firebase Cloud Storage rules allow any user to read, write, or delete files without authentication, exposing uploaded content and enabling file tampering.

CWE-732

Cascading Rules Misconfigured

high

Parent-level Firebase rules override restrictive child rules, unintentionally granting broader access than intended to nested collections and documents.

CWE-863

Firebase API Key Exposed in Code

medium

Firebase configuration (apiKey, projectId, databaseURL) is hardcoded in JavaScript bundles and publicly accessible, enabling attackers to interact with your Firebase services.

CWE-798