Firebase credential exposure security demonstration for pagepilot-cad7f
Firebase credential exposure — live demo
Run each attack vector against the exposed project to show the client what's actually accessible.
Hardcoded credentials found in source
apiKey
:
AIzaSyCHH7tKZkOT_k4OlmGY1WWNKVfDZPRihBU
authDomain
:
pagepilot-cad7f.firebaseapp.com
projectId
:
pagepilot-cad7f
messagingSenderId
:
837955958090
appId
:
1:837955958090:web:94acdf301268c0f6cf3db3
Auth — untested
Firestore — untested
Anon accounts — untested
Create anonymous account
Can anyone register without credentials?
Read Firestore data
Can anyone query the database?
Create email account
Pollute auth with fake users
Enumerate collections
Discover data structure
Attack log
// ready — click a button to run an attack vector