Firebase: Anonymous Auth With Open Firestore Rules

The default Firebase setup

Firebase Authentication supports anonymous sign-in. a single API call creates a temporary user with a valid UID. This is intended for shopping carts, saved preferences, and other pre-signup features. The problem is what happens when Firestore security rules trust any authenticated user.

The permissive rules pattern

The Firebase documentation's "getting started" examples use:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

This grants full read/write access to every collection for any authenticated user; including anonymous ones. One API call, full database access.

What we find in exposed Firestore databases

• User profiles with email addresses, phone numbers, and physical addresses
• Payment records with partial card numbers
• Chat messages and private conversations
• Admin configuration documents with API keys to third-party services

Realtime Database has the same problem

Firebase RTDB rules default to ".read": false, ".write": false but many tutorials instruct developers to set them to true during development. These rules get deployed to production and forgotten.

How we detect this

Our scanner extracts the Firebase config object from the client JavaScript, then:

1. Calls signInAnonymously() to get a valid auth token
2. Attempts to list collections via the Firestore REST API
3. Attempts to read/write to the Realtime Database
4. Tests Storage bucket access with the anonymous credential

Defense

• Never use allow read, write: if request.auth != null as a catch-all
• Write per-collection rules that check ownership: request.auth.uid == resource.data.userId
• Disable anonymous auth if you don't need it
• Use Firebase App Check to restrict API access to your app only