Firebase Security Scanner — Find public Firestore & Realtime Database leaks

Probes a public Firebase project for Firestore collections and Realtime Database paths that are readable without authentication — the #1 cause of Firebase data leaks. Returns the resource name, severity, sample columns, detected sensitive fields, and a verbatim curl reproducer per finding. Counts and metadata only — never bulk row data.

Why this exists

Firebase security rules are the only thing standing between your data and the public internet. A single rule like allow read: if true; — common in tutorials and "get it working" prototypes — exposes an entire Firestore collection or Realtime Database path to anyone who knows your project ID. No key, no login required, because the Firestore REST API and RTDB .json endpoints are reachable directly.

Forgotten or overly permissive rules ship to production constantly. This actor checks yours in about 30 seconds by probing the collections and paths attackers try first.

What it checks

• Firestore collections — probes ~35 common collection names (users, profiles, accounts, orders, payments, messages, api_keys, tokens, secrets, and more) via the Firestore REST API at firestore.googleapis.com/v1/projects/<id>/databases/(default)/documents/<collection>.
• Realtime Database paths — probes common top-level paths (users, posts, messages, rooms, events, data, public, config) across US, EU, and Asia RTDB regions using the .json?shallow=true endpoint.
• Sensitive-field detection — flags sample columns matching email, password, token, secret, phone, address, ssn.
• Severity scoring — users/profiles/accounts/customers/leads and orders/payments/tokens/secrets are CRITICAL; posts/messages/comments HIGH; analytics/events/logs MEDIUM.

Input

{
  "projectId": "your-firebase-project-id",
  "collectionHints": ["my-custom-collection", "another-table"],
  "outputFormat": "both"
}

• projectId — your Firebase project ID (from the Firebase Console → Project settings).
• collectionHints — beyond the ~35 common collections probed by default, list any schema-specific collection names you want checked.
• outputFormat — json for programmatic use, html-report for a human-readable HTML report in the KV store, both (default).

What you get

• Dataset rows — one structured row per finding, with kind (firestore/rtdb), name, severity, sample columns, sensitive columns, and a curl reproducer.
• HTML report in the run's key-value store as report.html — severity-coded findings, a ready-to-paste Firestore rules fix, and turnkey-fix offer if leaks are found.

Sample finding

[CRITICAL] firestore: users — readable without auth
Columns: id, email, displayName, role, stripeCustomerId
Sensitive columns detected: email

Reproducer:
curl 'https://firestore.googleapis.com/v1/projects/your-project/databases/(default)/documents/users?pageSize=1'

How to fix (free)

Lock down your Firestore rules so reads require authentication:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

For per-user data, scope reads to the owner (allow read: if request.auth.uid == resource.data.ownerId;). For Realtime Database, set ".read": "auth != null" at each protected path. Re-run this scanner to confirm zero public reads.

Ethical use

• Only scan projects you own or have explicit permission to scan.
• Counts and sample metadata only — the scanner uses pageSize=1 / shallow=true to confirm a leak exists without exfiltrating your data.
• All findings remain private to the run owner unless explicitly shared.

FAQ

How do I check if my Firebase project is publicly readable? Enter your Firebase projectId, optionally add collectionHints for custom collections, and run the actor. In about 30 seconds you get a list of every Firestore collection and Realtime Database path readable without authentication, with severity and a curl reproducer for each.

Do I need an API key or service account to run this? No. The whole point is that it probes the same public endpoints an anonymous attacker would hit — the Firestore REST API and RTDB .json endpoints — so it needs only your project ID. No service account, admin SDK, or Firebase login.

Why use this scanner instead of reading my Firebase rules manually? Reading rules tells you what they say; this scanner tells you what they actually expose, by making real unauthenticated requests. Rules can be subtly broken (a stray if true, a misordered match, an inherited RTDB path) in ways that are easy to miss on review — honestly, a rules review and an active probe are complementary, but only the probe proves the leak.

What are the alternatives to this Firebase scanner? If you use a different backend, the sister scanners cover it: Supabase, Convex, Appwrite, and Directus. For a free local option there's the open-source CLI: npx @perufitlife/firebase-security.

What vulnerabilities does it check for? It detects unauthenticated read access to Firestore collections and Realtime Database paths — overly permissive or forgotten security rules — and flags sensitive fields (email, password, token, secret, phone, address, ssn) and high-risk collections (users, payments, tokens) with CRITICAL severity.

Is the scan safe and read-only? Yes. It performs only read probes with pageSize=1 / shallow=true to confirm exposure — it never writes, deletes, or pulls bulk data. It surfaces counts and a small sample of column names, not your records.

Automate it

Security drifts: a new collection ships with allow read: if true, a rule gets loosened during a deadline, an RTDB path is added without a .read rule. Use Apify's scheduler to re-scan your Firebase project nightly or weekly, then connect the output via Apify integrations — Slack, Make, n8n, Zapier, or a webhook — to alert your team the moment a public read appears. Recurring audits turn a one-time check into continuous monitoring.

Related actors

• Supabase Security Auditor — Detect Row-Level-Security misconfigurations and anon-readable tables in Supabase projects.
• Convex Security Scanner — Find Convex queries that return data without an auth check.
• Appwrite Security Scanner — Find Appwrite collections readable by the guest/any role.
• Directus Security Scanner — Find Directus collections readable by the Public role.
• Multi-Scraper MCP — Give an AI agent live web-data tools alongside your security workflows.

Related tools

• CLI (free, runs entirely on your machine): npx @perufitlife/firebase-security
• Weekly auto-scan SaaS ($29/mo): rls-monitor.vercel.app
• Turnkey paid fix ($99 one-time): Stripe

Built and maintained by Renzo Madueño, founder of Rotate Pilot, aviation exam-prep software. More tools on GitHub.

If this actor saves you from a data leak, please leave a review. That's the engine that keeps this thing free + improving.