Expected Findings
- Top-level rule is `".read": true, ".write": true`.
- Anyone with the project URL can list and overwrite users.
- Storage bucket rules carry the same `allow read, write: if true`.
Firebase Realtime DB
Open Firebase Rules
The realtime database security rules are set to `".read": true, ".write": true`, so any client with the project ID can dump and overwrite the entire tree.
CWE-862CWE-306
Rules probe
Primary Flows
- Rules Public rules.json
- Dump users Anonymous read
- Storage rules Storage rules
Signals
Rules
{ "rules": { ".read": true, ".write": true } }