What Is This Vulnerability
Firebase Security Rules Misconfiguration is a broad vulnerability class where the security rules governing Firestore, Realtime Database, or Cloud Storage are configured more permissively than the application requires. This includes wildcard rules that grant universal access, rules that check authentication but not authorization, time-based rules that were meant to be temporary, and inherited rules from parent paths that override stricter child rules.
Firebase relies entirely on security rules for access control since there is no traditional backend middleware. A single misconfigured rule can expose the entire database or storage bucket.
Why It's Dangerous
Misconfigured rules are the root cause of most Firebase data breaches. The risks include:
- Complete data exposure — wildcard read rules expose every collection and document.
- Data tampering — wildcard write rules let attackers modify or delete any record.
- Rule inheritance pitfalls — a permissive parent rule overrides restrictive child rules, creating false confidence.
- Stale development rules — temporary
allow read, write: if truerules left from prototyping. - Authentication without authorization — checking
request.auth != nullbut not verifying the user has access to the specific resource.
Firebase explicitly warns in the console when rules are overly permissive, but many teams ignore these warnings.
How to Detect
Review your deployed rules and check for these dangerous patterns:
// Pattern 1: Universal access (most dangerous)
match /{document=**} {
allow read, write: if true;
}
// Pattern 2: Auth-only without authorization
match /orders/{orderId} {
allow read, write: if request.auth != null;
// Any logged-in user can read ANY order
}
// Pattern 3: Time-based rule that expired
match /{document=**} {
allow read, write: if request.time < timestamp.date(2025, 6, 1);
// Was meant to be temporary, now permanently open
}
Use the Firebase Rules Playground in the console to simulate requests. AuditYour.app audits live rules by testing authenticated and unauthenticated access patterns across collections and storage paths.
How to Fix
Apply the principle of least privilege to every rule:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Helper function for ownership check
function isOwner(userId) {
return request.auth != null && request.auth.uid == userId;
}
// Helper function for admin check
function isAdmin() {
return request.auth != null
&& get(/databases/$(database)/documents/admins/$(request.auth.uid)).data.role == 'admin';
}
match /users/{userId} {
allow read: if isOwner(userId) || isAdmin();
allow write: if isOwner(userId);
}
match /orders/{orderId} {
allow read: if request.auth != null
&& resource.data.customerId == request.auth.uid;
allow create: if request.auth != null
&& request.resource.data.customerId == request.auth.uid;
allow update, delete: if false; // managed server-side
}
// Explicit default deny
match /{document=**} {
allow read, write: if false;
}
}
}
Set up CI/CD checks that lint security rules before deployment. Use firebase emulators:exec to run automated rule tests as part of your pipeline.
Scan your app for this vulnerability
AuditYourApp automatically detects security misconfigurations in Supabase and Firebase projects. Get actionable remediation in minutes.
Run Free ScanRelated
vulnerabilities
Public Firestore Collection
Firestore collections are readable by anyone without authentication due to missing or permissive security rules.
vulnerabilities
Writable Firestore Collection
Firestore collections are writable without authentication, allowing attackers to insert, modify, or delete data.
vulnerabilities
Firebase Storage Bucket Exposure
Firebase Cloud Storage bucket is publicly accessible, allowing anyone to list and download files.
vulnerabilities
Firebase API Key Exposure
Firebase API key found in client-side JavaScript bundles, which is expected but may indicate broader misconfiguration.