Description

Firebase is a mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014.

Any Firebase Realtime Database URL is accessible as a REST endpoint. All we need to do is append .json to the end of the URL and send a request from our favorite HTTPS client and we can access the data.

It was confirmed that this Firebase Realtime Database URL is accessible without authentication. If the database contains sensitive information it's recommended to restrict access to this database. Otherwise, you can ignore this alert.

Remediation

This Firebase Realtime Database URL is accessible without authentication. If the database contains sensitive information it's recommended to restrict access to this database.

References

Installation & Setup for REST API

How I "found" the database of the Donald Daters App

Related Vulnerabilities

Node.js Web Application does not handle unhandledRejection

Apache Tomcat version older than 7.0.32

Scheme URI Detected in Content Security Policy (CSP) Directive

OpenSSL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-3193)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-6612)

Severity

Medium

Classification

CWE-200 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration