Firebase Misconfiguration

Firebase is a set of backend cloud computing services and application development platforms provided by Google.
Many firebase istances are misconfigurated leaving read access to the JSON database located at /.json in the database URL.

The code snippet used to connect to firebase is often leaved in the main html page of websites, and it looks like this:
var config = {
    apiKey: "3x4mpl3",
    authDomain: "example.firebaseapp.com",
    databaseURL: "https://example.firebaseio.com",
    projectId: "example",
    storageBucket: "example.appspot.com",
    messagingSenderId: "6969"
};
firebase.initializeApp(config);
Now we just need a simple HTTP GET request.

[*] firebase_json.png



Misonfiguration like this are also inside many android applications, i suggest this read.

Looking for vulnerable targets
Here's this FOFA query to search (possible) vulnerable websites: body="firebase.initializeApp(config);" && body="databaseURL"

We can see more than 21k results.

[*] fofa_results.png