FirebaseMedium

Firebase Storage Bucket Exposure

Firebase Cloud Storage bucket is publicly accessible, allowing anyone to list and download files.

Last updated 2026-01-15

What Is This Vulnerability

Firebase Storage Bucket Exposure occurs when Cloud Storage for Firebase is configured with security rules that allow unauthenticated read access to stored files. Firebase Storage uses a separate set of security rules from Firestore, and developers often overlook tightening these rules after development. When the default permissive rules remain in production, anyone with the bucket URL can list, download, or even upload files.

The bucket URL follows a predictable pattern: gs://PROJECT_ID.appspot.com or https://firebasestorage.googleapis.com/v0/b/PROJECT_ID.appspot.com/o/, making it trivial for attackers to discover.

Why It's Dangerous

Exposed storage buckets can leak:

  • User-uploaded content — profile photos, identity documents, medical records, and private files.
  • Application assets — internal documents, configuration files, and proprietary resources.
  • Backup data — database exports or log files developers stored for convenience.
  • Signed URLs — if files are meant to be accessed via signed URLs, public rules bypass that mechanism entirely.

In severe cases, writable buckets allow attackers to upload malicious files, replace legitimate assets with tampered versions, or store illegal content under your project.

How to Detect

Test public access to the storage bucket:

# List files in the root of the bucket
curl "https://firebasestorage.googleapis.com/v0/b/PROJECT_ID.appspot.com/o/"

# Attempt to download a known file path
curl "https://firebasestorage.googleapis.com/v0/b/PROJECT_ID.appspot.com/o/uploads%2Fprofile.jpg?alt=media"

Review your storage rules for permissive patterns:

// storage.rules — DANGEROUS default
rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if true;
    }
  }
}

AuditYour.app probes common storage paths and checks whether files are downloadable without authentication tokens.

How to Fix

Restrict storage access based on authentication and file ownership:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {

    // User profile images — only the owner can read/write
    match /users/{userId}/profile/{fileName} {
      allow read: if request.auth != null;
      allow write: if request.auth != null
        && request.auth.uid == userId
        && request.resource.size < 5 * 1024 * 1024  // 5MB limit
        && request.resource.contentType.matches('image/.*');
    }

    // Private documents — owner only
    match /users/{userId}/documents/{fileName} {
      allow read, write: if request.auth != null
        && request.auth.uid == userId;
    }

    // Public assets — read-only, no listing
    match /public/{fileName} {
      allow read: if true;
      allow write: if false;
    }

    // Deny everything else
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}

Deploy with firebase deploy --only storage and verify using the Firebase Emulator. Remove any files that should not be public and rotate any secrets that may have been exposed.

Scan your app for this vulnerability

AuditYourApp automatically detects security misconfigurations in Supabase and Firebase projects. Get actionable remediation in minutes.

Run Free Scan

Related

vulnerabilities

Firebase Security Rules Misconfiguration

Firebase security rules are overly permissive, granting broader access than intended across Firestore, Storage, or Realtime Database.

vulnerabilities

Public Firestore Collection

Firestore collections are readable by anyone without authentication due to missing or permissive security rules.