保護DataHogo
Security Encyclopedia/Firebase Security
criticalCWE-862

Realtime Database Without Authentication

Firebase Realtime Database rules set '.read: true' and '.write: true' at the root level, allowing anyone on the internet to read and modify all data.

How It Works

Firebase Realtime Database uses JSON-based security rules. Setting '.read: true' and '.write: true' at the root grants full access to all data. Unlike Firestore, Realtime Database rules cascade downward — a permissive rule at the root opens every child node. Attackers can simply use the REST API (https://your-project.firebaseio.com/.json) to download the entire database as a single JSON file, without needing any SDK or authentication.

Vulnerable Code
{
  "rules": {
    ".read": true,
    ".write": true
  }
}
Secure Code
{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    },
    "public_posts": {
      ".read": true,
      ".write": "auth !== null"
    }
  }
}

Real-World Example

Researchers have found that appending /.json to a Firebase Realtime Database URL exports the entire database. In 2019, a study found 12,000+ Firebase databases publicly accessible, leaking emails, passwords, phone numbers, and chat messages from popular mobile apps.

How to Prevent It

  • Never use '.read: true' or '.write: true' at the root level
  • Scope rules to specific paths with auth.uid validation
  • Use the Firebase Rules Playground to test access patterns
  • Monitor Firebase security alerts in the Google Cloud Console

Affected Technologies

FirebaseNode.jsReactMobile

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Firestore Rules Allow Read/Write True

critical

Firestore security rules set to 'allow read, write: if true' give any user — authenticated or not — full access to read, create, modify, and delete all documents.

CWE-862

Firebase Storage Rules Permissive

high

Firebase Cloud Storage rules allow any user to read, write, or delete files without authentication, exposing uploaded content and enabling file tampering.

CWE-732

Cascading Rules Misconfigured

high

Parent-level Firebase rules override restrictive child rules, unintentionally granting broader access than intended to nested collections and documents.

CWE-863

Firebase API Key Exposed in Code

medium

Firebase configuration (apiKey, projectId, databaseURL) is hardcoded in JavaScript bundles and publicly accessible, enabling attackers to interact with your Firebase services.

CWE-798