Exposed Firebase databases hidden by Google search
A security researcher found that Google's search engine hides results for misconfigured Firebase databases that are publicly accessible on the internet.
A security researcher discovered that exposed Google Firebase databases are discoverable in many search engines -- but not Google's.
Alex "Ghostlulz" Thomas, an independent security researcher and former analyst at cybersecurity consulting firm Bishop Fox, published a blog post last week that demonstrated how Google Firebase databases that are publicly accessible could be found via many popular search engines such as Bing. These cloud databases are misconfigured and lack any authentication or access control, which allows anyone to read and copy the data.
"Exploiting this misconfiguration is extremely easy. Append .json to the end of a Firebase URL, and if you are able to see their database, they are vulnerable," Thomas wrote in the blog post.
However, Thomas noted the exposed Firebase databases were not searchable in Google searches.
"It appears as if Google purposely scrubbed the results to prevent hackers from exploiting the misconfiguration based on finding the information on Bing and not on Google," Thomas told SearchSecurity. "I assume they did this because Firebase is owned by Google."
Google has not responded to requests for comment regarding the research. Thomas said he did not contact Google prior to publishing his findings and has not been in contact with the company since.
Thomas' post included an example of an anonymized database that exposed user passwords. SearchSecurity verified Thomas' findings and found several exposed Firebase databases in results from several non-Google search engines. A Bing search for Firebase URLs produced more than 24,000 results, though it's unclear how many of those URLs were unique and publicly accessible.
Alex 'Ghostlulz' ThomasIndependent security researcher
Misconfigured Firebase databases have been an issue in the past for Google. Last year, application security vendor Appthority published research that found 3,000 iOS and Android apps had exposed approximately 100 million user records, including passwords and personal health information, through unsecured Firebase databases.
Thomas told SearchSecurity he was aware that misconfigurations had been a problem for Firebase users in the past, but he believed his blog post was the first time the search result discrepancy between Google and other search engines had been documented.
In his blog post, Thomas linked to an open source tool on GitHub that automates searches for exposed Firebase databases; he encouraged other security researchers and bug hunters to "find easy wins and get paid."
"The vast majority of developers and hunters are unaware of the pitfalls that come with using Firebase database," he wrote. "You can easily dump an entire database by simply visiting a URL."