After reading a blog post by ghostlulz, I learned that if a Firebase database is not secured properly, you can easily dump the contents by appending “.json” to the end of the URL. This seems easy, but how easy?
The example ghostlulz gives is a fruitful Bing search:
However, upon closer inspection, we notice Firebase instances are organized by subdomain. Custom subdomains.
Armed with the Quantcast Top 1 Million Sites and some arbitrary python, we are off to collect a list of potential targets. Reading line by line, we extract the TLD of the website, and construct a potential Firebase URL.
Make a GET request to the new URL and save the contents.
After a few minutes it becomes clear this might be a larger issue.
We can get data, but how bad can it be?
As it turns out, pretty bad.
Not only is it incredibly easy to find large amounts of unsecured Firebase databases, but these instances contain incredibly sensitive data.
I have personally made a dozen phone calls to alert owners of more critical data, some of which have already been remediated. Due to the nature of these open databases it is difficult to discern the owner, but we are hard at work.