2025-07-26 –, Track 1
Firebase is a popular serverless application platform with a fundamental fail-open flaw. In 2021, I created a tool for exploiting that flaw, which I still use today. In this talk, I'll showcase the kinds of vulnerabilities I commonly find in Firebase applications, explain why these vulnerabilities persist, and discuss how developers should approach secure Firebase development.
This talk will provide a brief overview of how Firebase works and why developers love it, followed by a demonstration of common authorisation bypass vulnerabilities in Firebase applications and how to exploit them using my Baserunner tool. We'll then dive into why these flaws exist and persist, and close off with suggestions for how developers can design their applications to mitigate or outright avoid them.
Baserunner is available here: https://github.com/iosiro/baserunner
Security Consultant at iosiro. Not the Harry Potter director.