TLDR:
– Firebase allows for easy misconfiguration of security rules with zero warnings
– This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information
After the initial buzz of pwning Chattr.ai had settled down, we set to work on scanning the entire internet for exposed PII via misconfigured Firebase instances.…