Don't be like these 900+ websites and expose millions of passwords via Firebase

At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers.

Among these websites, it's estimated that at least 125 million user records were found to be publicly accessible, including billing information and plaintext passwords. In short: If you're using Google's Firebase, make sure it's securely configured to avoid leaking private info to the rest of the world.

Firebase is a popular backend service that websites and apps use for storing data in the cloud. It provides security rules to keep data safe, in theory anyway.

In practice, we recall an incident where 24,000 Android apps exposed data through ham-handed Firebase implementations. According to one software engineer who used to work at Google and as a Firebase consultant, "the concerns with security rules have always plagued the product."

That developer did not immediately respond to a request for further comment, nor did Google.

The penetration testers, who go by the names mrbruh, xyzeva and logykk, previously identified exposed credentials in AI hiring service chattr's Firebase implementation. They found a way to use Firebase's registration feature to create a new user with administrative read and write privileges.

Following that dumpster fire, the cyber-trio decided to conduct an internet-wide search for poorly configured Firebase databases using a scanning program converted from Python into Go to tame a memory leak.

The renovated code took between two and three weeks to scour 5.2 million domains, and ultimately ended up with a list of data obtainable from more than 900 websites.

All told, the list included almost 125 million records, with 85 million names, 106 million email addresses, 34 million phone numbers, 20 million passwords, and 27 million billing details.

• JetBrains TeamCity under attack by ransomware thugs after disclosure mess
• Ubiquiti blunder let some folks view others' security cameras, accounts
• Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets
• ServiceNow quietly addresses unauthenticated data exposure flaw from 2015

The researchers, who note that the actual numbers are probably larger, say they spent two weeks sending email notifications to 842 of the websites, of which 85 percent got through and nine percent bounced.

From this, they say 24 percent of site owners fixed the misconfiguration, though just one percent of site owners mailed back and a mere 0.2 percent of site owners – just two of them – offered some form of bug bounty.

Configuration mishaps of this sort were common for many years with AWS, until AWS decided it would help customers avoid shooting themselves in the foot through more secure default settings.

It's still an issue, however. According to OWASP, security misconfiguration ranks fifth among the top ten most common vulnerabilities, with an average incidence rate of 4.51 percent. ®