Google Firebase may have exposed 125M records from misconfigurations

More than 900 misconfigured Google Firebase websites could have leaked nearly 125 million user records, according to a recent post by a trio of security researchers who go by the online handles "mrbuh," "xyzeva" and "logykk."

Security researcher mrbruh first reported Jan. 10 that in hacking into Chattr.ai, the AI-based hiring system, they had successfully accessed popular retail food websites such as Applebee’s, Chick-fil-A, KFC, Subway and Taco Bell.

The Retail and Hospitality ISAC reported on the incident Jan. 11, the day after the first post by mrbruh, saying that attackers can use Chattr.ai’s registration feature to create new user profiles with full read/write privileges by abusing a vulnerability or a misconfiguration in their Google Firebase backend database. Companies in the retail and hospitality industry were then advised to contact Chattr.ai.

After the initial press around the of pwning Chattr.ai, the trio of researchers set to work on scanning the internet for exposed PII via misconfigured Firebase instances — and that’s when they found the leaked records, including important bank details, billing information and invoices. The leaked data also included names, phone numbers, email addresses and passwords.  

Efforts to reach Chattr.ai and Google for comment were unsuccessful as of publication.

Industry no stranger to misconfigurations

Most successful attacks on cloud infrastructure these days stem from misconfigurations, said Patrick Tiquet, vice president, security and architecture at Keeper Security. Google Firebase continuously upgrades and evolves its security recommendations, Tiquet said, however, these components are not always implemented properly or monitored, as is the case with Chattr’s implementation of Firebase.

“Administrators should always ensure they’re using a secure vault and secrets management solution, and performing necessary patches and updates immediately,” said Tiquet. “They should also check their cloud console’s security controls to ensure they’re following the latest recommendations.”

Jason Soroko, senior vice president of product at Sectigo, said this case was a great lesson for both users of cloud systems, as well as the cloud architects themselves.

“The recent Google Firebase issue could be worse in some ways because of the administrative functions it allows a malicious actor, leading to a potentially deeper level of compromise,” said Soroko. “Let’s see if we get a set of tools to help us better evaluate the configuration.”