900 Sites, 125M accounts, 1 Vulnerability
Firebase’s Security Model & Its Pitfalls
- Many see Firebase’s security rules as conceptually sound but hard to use correctly in practice, especially for Realtime Database.
- Rules are “set and forget”: new fields/collections often inherit overly-permissive rules when business logic changes.
- Security issues arise from:
- Novel rule-based model compared to traditional backends.
- Ease of mass scanning when many apps use the same platform.
- Insecure defaults / “allow by default” patterns and devs just using
read/write trueto make things work.
- UX criticism: most of Firebase is polished UI, but rules are a plain config file that many newer devs avoid touching properly.
Google Support and Organizational Issues
- Multiple comments describe Firebase/Google support as unresponsive and heavily outsourced.
- There is a sense that Google underinvests in human-centric, high-skill support for developer products.
- Some argue this “bot-first, human-last” culture may hurt Google long-term; others think regulation or simple inertia matter more.
Architecture: Direct Frontend DB Access
- Many are uneasy with frontends writing directly to a database, even with rules:
- Harder to ensure validation, content checks, and evolving privacy requirements.
- Larger “surface area to forget” compared to a more centralized backend.
- Defenders say it works for simple “user-only data” apps (e.g., notes/sync) and that mature projects often move writes to Cloud Functions or traditional servers, keeping reads client-side.
Mitigations and Best Practices
- Suggestions include:
- Template-based “simple security modes” and mandatory rule tests.
- Treat each collection as having a clear security profile (public, per-user, admin-only) and never mix sensitivities.
- Default-deny transpilers that force explicit rules for new fields.
- Better audit logs and notifications for implicit schema changes.
- RLS-like mechanisms (as in Postgres/Supabase) to express auth in a familiar language.
Impact, Ethics, and User Security
- Many vulnerable sites remain unfixed despite disclosure attempts; emails often ignored, and dashboards rarely checked.
- Debate over publishing a list of affected sites: could help users but also aid attackers.
- Broader concern that low-bar cloud tools enable organizations with little security competence to collect large volumes of PII.
- Users are advised to use password managers and unique/aliased emails to limit damage from inevitable breaches.