Security News > 2024 > March > Don't be like these 900+ websites and expose millions of passwords via Firebase

At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers.

Among these websites, it's estimated that at least 125 million user records were found to be publicly accessible, including billing information and plaintext passwords.

Firebase is a popular backend service that websites and apps use for storing data in the cloud.

In practice, we recall an incident where 24,000 Android apps exposed data through ham-handed Firebase implementations.

The penetration testers, who go by the names mrbruh, xyzeva and logykk, previously identified exposed credentials in AI hiring service chattr's Firebase implementation.

The renovated code took between two and three weeks to scour 5.2 million domains, and ultimately ended up with a list of data obtainable from more than 900 websites.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/18/google_firebase_cloud_security/