Security SNAFU: Misconfigured Google App Platform Leaked 19M Plaintext Passwords

Most experts would suggest that humans are the weakest link in cybersecurity, which is evidenced by the pervasiveness of phishing emails and whatnot. However, it’s not just end users that can be a problem. System administrators are human too, and can introduce serious problems just the same. This is what a group of researchers have shown by finding misconfigured Firebase instances leaking a plethora of user data, including plaintext passwords, but we cannot wholly blame the administration. There are other problems at play.

In a recent blog post, researchers mrbruh, xyzeva, and logykk scanned the entire internet for exposed personally identifiable information (PII) hosted in misconfigured Firebase instances. Firebase is a cloud-based backend and application development platform provided by Google, wherein users can host services and databases for their applications. Many of these instances, though, are not configured correctly and may be exposing a significant quantity of data. Thus, the first attempt to dig into this was with a Python scanner that MrBruh developed, which ended up chewing through memory and bricking after only an hour.


The next attempt came from Logykk, who rewrote the scanner in Go, which, while estimated to only take 11 days to scan through 5.5 million domains, took around three weeks to get through everything. By the end, a 550k line text file was generated which the team started digging through manually. This was rather time-consuming and “repetitive,” which we could very well imagine. In the end, though, 136 sites and 6.2 million records were found. This data was essentially found by hand though, and not nearly as effective as had been hoped. Therefore, the team pivoted to using a more automated solution that xyzeva created, using the shortlist of afflicted sites wherein they were able to find 124,605,664 records, including names, emails, phone numbers, passwords, and billing information. However, it is noted that the numbers they list should be taken with a grain of sale because “they are likely larger than shown here.”


Xyzeva spoke with BleepingComputer and noted that 98% of the passwords discovered, 19,867,627 precisely, were in plain text, which is incredibly concerning. It is also explained that companies must have gone “out of their way” to have the plain text passwords, as Firebase makes it so you do not expose passwords in records.

When all was said and done, the team sent out 842 emails over 12 days to notify those sites affected by the problem. 85% of the emails were delivered, 9% of emails bounced, but overall, 24% of site owners fixed the issue. This ratio is disheartening, as it means that administrators are just being complacent and even potentially malicious to some extent. The blog post also notes that "Firebase allows for easy misconfiguration of security rules with zero warnings," so clearly, Google has some work to do, too.