FirebaseHigh

Public Firestore Collection

Firestore collections are readable by anyone without authentication due to missing or permissive security rules.

Last updated 2026-01-15

What Is This Vulnerability

Public Firestore Collection is a vulnerability where Cloud Firestore collections are configured with security rules that allow unauthenticated read access. This typically happens when developers use permissive rules during development and forget to tighten them before deploying to production. Any user, including unauthenticated attackers, can query the collection and retrieve all documents.

Firebase Security Rules control access at the document and collection level. When rules contain allow read: if true; or lack a read rule entirely on a collection that inherits a permissive parent rule, the data is effectively public.

Why It's Dangerous

Publicly readable Firestore collections can expose:

  • User personal data — emails, phone numbers, addresses, and profile information.
  • Business logic data — pricing tiers, internal configurations, and feature flags.
  • Authentication tokens — session data or refresh tokens stored in Firestore.
  • Financial data — transaction records, payment histories, and invoice details.

An attacker does not need to reverse-engineer your application. They only need your Firebase project ID (which is public in every Firebase app) to construct API calls and enumerate collections. Tools like firebase-scanner and AuditYour.app automate this detection.

How to Detect

Test collection access using the Firebase REST API without authentication:

# Replace PROJECT_ID and COLLECTION with your values
curl "https://firestore.googleapis.com/v1/projects/PROJECT_ID/databases/(default)/documents/COLLECTION"

If the response returns documents instead of a permission error, the collection is publicly readable. You can also review your rules directly:

// firestore.rules — look for overly permissive patterns
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // DANGEROUS: allows anyone to read any document
    match /{document=**} {
      allow read: if true;
    }
  }
}

AuditYour.app scans known collection names and attempts unauthenticated reads to flag exposed data.

How to Fix

Replace permissive rules with authentication-based access control:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // Users can only read their own profile
    match /users/{userId} {
      allow read: if request.auth != null && request.auth.uid == userId;
      allow write: if request.auth != null && request.auth.uid == userId;
    }

    // Orders are readable only by the owner
    match /orders/{orderId} {
      allow read: if request.auth != null
        && resource.data.userId == request.auth.uid;
      allow write: if false; // writes handled server-side
    }

    // Default deny — no other collections are accessible
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Deploy updated rules immediately with firebase deploy --only firestore:rules and test access using the Firebase Emulator Suite before going live.

Scan your app for this vulnerability

AuditYourApp automatically detects security misconfigurations in Supabase and Firebase projects. Get actionable remediation in minutes.

Run Free Scan

Related

vulnerabilities

Writable Firestore Collection

Firestore collections are writable without authentication, allowing attackers to insert, modify, or delete data.

vulnerabilities

Firebase Security Rules Misconfiguration

Firebase security rules are overly permissive, granting broader access than intended across Firestore, Storage, or Realtime Database.