Possible Firebase vulnerability leak affects 900+ apps

**Fair warning, this could effect anyone without proper privacy rules, so this isn’t just a Firebase exclusive thing, but I still don’t use Firebase for other reasons. It’s still a secure alternative for database usage, just be sure to read up on proper security to ensure you application and your users data is secure.

I have honestly never used Firebase and never will. There are countless reasons why I won’t use it, and even before the following article, I still wouldn’t use it. But if you’re using it to this day, I’d suggest the following;

  • check your security (you’re probably leaking data somewhere)
  • read this post (it’s important I promise)
  • stop using it

Reading up on daily trends, posts, etc., I see something along the lines of “Potentially 4 Billion Dollars Could of been Hacked by Whitehats”.

There has been a huge vulnerability one Firebase databases. It was huge.

Look how the app makers/representatives reply. Some don’t even reply, most don’t even fix the issue. You can still USE THIS TO THIS DAY (least from a few days ago).

Tread lightly, as you get to the bottom you’ll see their stats. This was done by a team of like 3 kids. The main vulnerability was found by a 17 year old (who has started pen testing at 15). He now works with and contributes to Supabase.

I’m not sure if the vulnerability has been patched by Google itself. I haven’t followed up on it too much (since I don’t use it), but thought some of you folks might find this useful to know.

So… use Firebase?

Decision is up to you. I am just showing you guys a potential issue if you’re using Firebase right now. Personally? I wouldn’t touch it with a million foot pole.

EDIT: I don’t use it so much I don’t even know how to spell it (Firebase, not Firestore).

the linked article seems to tell a different story:


  • Firebase allows for easy misconfiguration of security rules with zero warnings

if this is a vulnerability then bubble has the same problem as well because you can misconfigure privacy rules, or do other stupid things like using access tokens as url parameter, or use eval with user-generated strings.

the article doesn’t say anything about working for supabase, they only say that they used the supabase db product.


One of the team members is a contributor for Supabase. It’s not mentioned in the article.

contributor != works

From my understanding, when you’re contributing code for a company like that, you’re likely doing it by contract.

Regardless, the leak is real. Doesn’t matter if users are using Bubble databases or not. That’s not the point. The point is that fact that some apps on Bubble utilize Firebase for other uses, and their data could have been leaked.

And by leaked, these guys didn’t leak any of their information. But the article, many other developers have been made aware of this, so people could be affected none-the-less.

Create a pull request
After making any changes, open a pull request. Once you submit your pull request, the Supabase team will review it with you.
Once your PR has been merged, you will be proudly listed as a contributor in the contributor chart!

from the article it looks like it’s not a security vulnerabiloty of firebase itself but bad practice of some apps. there is a difference in this.

Could be true. But once again, this is an article to raise awareness. What is your point here? My point was to just let people know there could be a leak with their firebase, and I don’t use it. What about you?


And yes, you can contribute to supabase, but if you don’t think some contributors get paid then you’re mistaken.

raising awareness of best practice is a good thing, and this would have been a better topic with a title that reflected that instead of claiming that firebase has a security vulnerability when clearly it’s not the case.
claiming that the author works for a famous company while in practice they don’t gives a false sense of legitimacy to the whole story.
sticking to the facts here may be more helpful.

this could have easily been a “normal” click-bait article like “don’t do this critical mistake in firebase” instead of “firebase hacked” which is not supported by the article you reference :wave:

1 Like

You’re right mate. I’m being a little snoody lol. I don’t need to be like that. I guess I could have chosen a better title. Let me fix that.

To be fair (technically) they did hack into their databases :stuck_out_tongue:


lol to being “normal clickbait”

I honestly thought your account had been taken over by a bot when I read the original title


When I re-read what I did, I don’t blame you. Pretty sure I was half asleep when I wrote it lol