Firebase database accessible without authentication
Description
Firebase Realtime Database is a cloud-hosted NoSQL database that can be accessed via REST API by appending .json to the database URL. This instance has been configured without authentication requirements, allowing unrestricted public access to read and potentially write data. While some Firebase databases are intentionally public (such as for open datasets), many contain sensitive application data and should require authentication. This finding indicates that the database's security rules are either missing or misconfigured to allow anonymous access.
Remediation
Review the Firebase Realtime Database security rules to determine if public access is intentional. If the database contains sensitive information or should require authentication, implement proper security rules:
1. Access the Firebase Console:
Navigate to your project → Realtime Database → Rules tab
2. Review current rules:
Check if rules are set to allow public access (development mode)
3. Implement authentication-based rules:
Replace permissive rules with authentication requirements. Example secure configuration:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}4. For more granular control, implement path-based rules:
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
},
"public_data": {
".read": true,
".write": "auth != null"
}
}
}5. Test the new rules using the Firebase Rules Simulator before publishing
6. Publish the updated rules and verify that unauthorized access is blocked
If public access is intentional, document this decision and ensure no sensitive data is stored in the database.