Firebase is a platform that requires developers to secure individual tables and rows. However, it appears that developers either lacked the necessary security training or did not allocate sufficient time in the development lifecycle to apply the correct security controls
Causes of the Firebase Misconfigurations
The misconfigurations of Firebase instances that led to the exposure of 19 million plaintext passwords and sensitive user data were primarily due to two factors:
📌 Lack of Security Rules: Some Firebase instances had no security rules enabled, which should act as a first line of defense against unauthorized access.
📌 Incorrect Setup: In other cases, security rules were set up incorrectly. This improper configuration allowed for the public exposure of data that should have been private.
Affected Industries
The misconfigured Firebase instances affected a broad range of industries, including:
📌 Retail and Hospitality: Fast food chains and other retail businesses were among those affected, with instances such as Chattr’s Firebase implementation exposing user data.
📌 Healthcare: Healthcare applications were found to have exposed personal family photos and token IDs.
📌 E-commerce: E-commerce platforms leaked data from cryptocurrency exchange platforms.
📌Education: A learning management system for teachers and students exposed records of 27 million users.
📌 Technology and App Development: The very nature of Firebase as a development platform means that a wide array of mobile and web applications across various sectors were impacted.