Firebase: Anonymous Auth With Open Firestore Rules
Firebase allows anonymous authentication by default. Combined with permissive Firestore security rules, the infamous allow read, write: if true gives any visitor full read/write access to every collection. This is a top source of cloud data breaches we uncover during Firebase penetration testing and security audits.
Founder of Valtik Studios. Penetration tester. Based in Connecticut, serving US mid-market.
The Firestore rule that leaks every database on the internet
Type this into your favorite search engine. "allow read, write: if true" site:github.com. Scroll through a page of results. Every result is a live Firebase project with a security rule that gives any visitor full read and write access to every collection.
This is one of the single most common data breach patterns in consumer app security over the last three years. It's not a sophisticated attack. It's the Firebase getting-started tutorial, shipped to production, never revisited. The attacker's "exploit" is opening the browser console.
The default Firebase setup
Firebase Authentication supports anonymous sign-in. A single API call creates a temporary user with a valid UID. Intended for shopping carts, saved preferences, and pre-signup features. The problem is what happens when Firestore security rules trust any authenticated user.
The permissive rules pattern
The Firebase documentation's "getting started" examples use:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth!= null;
}
}
}This grants full read/write access to every collection for any authenticated user. Including anonymous ones. One API call, full database access.
What we find in exposed Firestore databases
- User profiles with email addresses, phone numbers, and physical addresses
- Payment records with partial card numbers
- Chat messages and private conversations
- Admin configuration documents with API keys to third-party services
Realtime Database has the same problem
Firebase RTDB rules default to ".read": false, ".write": false but many tutorials instruct developers to set them to true during development. These rules get deployed to production and forgotten.
How we detect this
Our scanner extracts the Firebase config object from the client JavaScript, then:
- Calls
signInAnonymously()to get a valid auth token - Attempts to list collections via the Firestore REST API
- Attempts to read/write to the Realtime Database
- Tests Storage bucket access with the anonymous credential
Defense
- Never use
allow read, write: if request.auth != nullas a catch-all - Write per-collection rules that check ownership:
request.auth.uid == resource.data.userId - Disable anonymous auth if you don't need it
- Use Firebase App Check to restrict API access to your app only
Want us to check your Firebase setup?
Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.