Three researchers scanned the internet for vulnerable Firebase instances, looking for personally identifiable information (PII).
Firebase is a platform for hosting databases, cloud computing, and app development. It’s owned by Google and was set up to help developers build and ship apps.
What the researchers discovered was scary. They found 916 websites from organizations that set their Firebase instances up incorrectly, some with no security rules enabled at all.
One of the researchers told BleepingComputer that most of the sites also had write enabled (meaning anyone can change it) which is bad, and one of them was a bank.
During a sweep of the internet that took two weeks, the researchers scanned over five million domains connected to Google’s Firebase platform.
The total amount of exposed data is huge:
- Names: 84,221,169
- Emails: 106,266,766
- Phone Numbers: 33,559,863
- Passwords: 20,185,831
- Billing Info (Bank details, invoices, etc): 27,487,924
And as if that isn’t bad enough, 19,867,627 of those passwords were stored in plaintext. Which is a shame given that Firebase has a built-in end-to-end identity solution called Firebase Authentication that is specifically designed for secure sign-in processes and does not expose user passwords in the records.
So, an administrator of a Firebase database would have to go out of their way and create an extra database field in order to store the passwords in plaintext.
The researchers have warned all the affected companies, sending 842 emails in total. Only 1% of the site owners replied, but about a quarter of them did fix the misconfiguration.
In this case we can consider it a blessing that these researchers managed to get a lot of those instances correctly configured. On the other hand it’s frightening that the rest lives on in a state of insecurity.
