No Rules, No Locks: Firebase Misconfiguration and the Borrowers It Left Behind
A security researcher discovered that a Firebase-backed microfinance lending platform left two of three Firebase services (Firestore and Firebase Storage) with default open security rules, exposing hundreds of borrowers' complete PII including national ID numbers, GPS coordinates, photos, credit scores, and signed loan documents. Starting from the publicly accessible /__/firebase/init.json endpoint, the researcher extracted the projectId and constructed REST API calls to enumerate collections and download records without any authentication. Full CRUD access was confirmed — unauthenticated attackers could read, write, modify, or delete production financial records. The Realtime Database was the only service correctly locked down. The writeup details the attack chain, the data exposed in customers/loans/surveys/groups collections, and provides the two-line Firestore and Storage rule fix (if request.auth != null) that would have prevented the entire compromise.