According to Appthority’s report, the unsafe usage of Firebase allows unauthorized access to the hole database by simply appending
/.json to the server URL.
Following this tip, we search potentially vulnerable Apps in our Janus by using RULE. There are 14645 Apps are found enclosing this URL, the total unique URLs are 3632. We try these URLs later automatically by using script.
Surprisingly, we found there are still vulnerable projects on Firebase and gigabytes can be retrieved from these databases.
Rather than mitigating the attack case by case, it’s a more convenient way to fix this issue by refusing the
/.json request. Since there are still Firebase project vulnerable to this flaw, we are curious about why Google does not fix this problem from the ground up.