HIGH token leakagefirestore

Token Leakage in Firestore

Scan your API now

How Token Leakage Manifests in Firestore

Token leakage in Firestore typically occurs when authentication tokens, session identifiers, or database keys are inadvertently exposed in client-side code, API responses, or error messages. Firestore's client libraries and security rules create specific vulnerability patterns that attackers can exploit.

The most common Firestore token leakage scenarios involve:

  • Firestore ID tokens exposed in browser console logs or network requests
  • Document IDs containing sensitive information that become predictable
  • Security rules that inadvertently reveal whether documents exist
  • Collection names that expose business logic or user data structure
  • Metadata fields containing timestamps or counters that enable enumeration

Consider this vulnerable Firestore pattern:

const db = firebase.firestore();
const userDoc = db.collection('users').doc(userId);
userDoc.get().then(doc => {
  if (doc.exists) {
    console.log('User found:', userId); // Potential token leakage via console
    return doc.data();
  } else {
    console.log('User not found:', userId); // Enumeration possible
    return null;
  }
});

This code leaks information through timing differences and console output. An attacker can distinguish between valid and invalid user IDs based on response times and error messages.

Another critical pattern is Firestore security rules that reveal document existence:

match /users/{userId} {
  allow read: if request.auth.uid == userId;
  allow write: if request.auth.uid == userId;
}

match /users/{userId} {
  allow read: if request.auth.uid == userId;
  allow write: if request.auth.uid == userId;
}

match /users/{userId} {
  allow read: if request.auth.uid == userId;
  allow write: if request.auth.uid == userId;
}

Even though the rules look secure, the HTTP 404 vs 403 response codes leak whether a user document exists, enabling account enumeration attacks.

Firestore's client-side SDK also creates token leakage opportunities through:

  • Default error messages containing stack traces with database paths
  • Query cursors that reveal data boundaries
  • Transaction IDs that can be correlated across requests
  • Collection group queries that expose the full data graph

Firestore-Specific Detection

Detecting token leakage in Firestore requires both static analysis of your security rules and dynamic scanning of your API endpoints. middleBrick's Firestore-specific scanner examines your Firestore configuration and runtime behavior to identify these vulnerabilities.

middleBrick performs these Firestore-specific checks:

  • Security Rules Analysis: Parses your Firestore security rules to identify overly permissive patterns, missing validation, and information disclosure through error responses
  • Token Exposure Scanning: Tests whether authentication tokens or session identifiers appear in client-side code, network responses, or error messages
  • Enumeration Detection: Attempts to enumerate document IDs by analyzing response timing and error codes
  • Metadata Leakage: Checks for exposed timestamps, counters, or other metadata that could enable data reconstruction

Using middleBrick's CLI for Firestore scanning:

npx middlebrick scan https://firestore.googleapis.com/projects/YOUR_PROJECT_ID/databases/(default)/documents

The scanner tests your Firestore endpoint with 12 parallel security checks, including authentication bypass attempts and data exposure analysis. It specifically looks for Firestore's unique token leakage patterns:

Check TypeFirestore-Specific PatternDetection Method
AuthenticationID token exposure in client codeStatic analysis of JavaScript bundles
BOLA/IDORPredictable document IDsEnumeration attempts with sequential IDs
Data ExposureMetadata field leakageResponse content analysis
Inventory ManagementCollection structure exposureDiscovery of hidden collections

For comprehensive Firestore security, middleBrick also analyzes your OpenAPI/Swagger specifications if provided, cross-referencing API endpoints with your Firestore data model to identify potential token leakage paths between your REST API and Firestore backend.

Firestore-Specific Remediation

Remediating token leakage in Firestore requires a multi-layered approach combining secure coding practices, robust security rules, and careful client-side implementation. Here are Firestore-specific fixes for common token leakage patterns.

1. Secure Security Rules with Generic Error Responses

Instead of revealing document existence through different error codes, use consistent responses:

match /users/{userId} {
  allow read: if request.auth.uid == userId;
  allow write: if request.auth.uid == userId;
}

match /users/{userId} {
  allow read: if request.auth.uid == userId;
  allow write: if request.auth.uid == userId;
}

match /users/{userId} {
  allow read: if request.auth.uid == userId;
  allow write: if request.auth.uid == userId;
}

2. Client-Side Code Protection

Sanitize console output and handle errors without exposing sensitive data:

const db = firebase.firestore();
const userDoc = db.collection('users').doc(userId);

userDoc.get()
  .then(doc => {
    if (doc.exists) {
      return { success: true, data: doc.data() };
    } else {
      return { success: false, data: null };
    }
  })
  .catch(error => {
    console.error('Database operation failed'); // Generic message
    return { success: false, error: 'Operation failed' };
  });

3. Use Firestore's Built-in Security Features

Leverage Firestore's security features to prevent token leakage:

// Use Cloud Functions to validate and sanitize data
exports.sanitizeUserData = functions.firestore
  .document('users/{userId}')
  .onWrite((change, context) => {
    const newData = change.after.data();
    
    // Remove sensitive metadata before storing
    if (newData.metadata) {
      delete newData.metadata;
    }
    
    return change.after.ref.set(newData, { merge: true });
  });

4. Implement Proper Authentication Token Handling

Ensure Firestore ID tokens are properly secured:

// Generate tokens only when needed and expire them quickly
const getIdToken = async () => {
  const user = firebase.auth().currentUser;
  if (!user) {
    throw new Error('User not authenticated');
  }
  
  // Set a short expiration time
  return await user.getIdToken(true, { 
    expiresIn: '1m' 
  });
};

// Never log tokens or expose them in client-side code
getIdToken().then(token => {
  // Use token immediately for API calls
  fetch('/api/secure-endpoint', {
    headers: { 'Authorization': `Bearer ${token}` }
  });
});

5. Use Firestore's Aggregation Queries

Instead of client-side enumeration, use server-side aggregation:

// Server-side Cloud Function to safely count documents
exports.countUsers = functions.https.onRequest(async (req, res) => {
  try {
    const count = await admin.firestore()
      .collection('users')
      .count()
      .get();
    
    res.json({ userCount: count });
  } catch (error) {
    res.status(500).json({ error: 'Counting failed' });
  }
});
Scan your API now Free API security scan

Frequently Asked Questions

How does Firestore's client SDK contribute to token leakage?
Firestore's client SDK can inadvertently expose tokens through default error messages containing stack traces with database paths, query cursors that reveal data boundaries, and transaction IDs that can be correlated across requests. The SDK also generates detailed error objects that may contain sensitive information about your database structure. Always implement error handling that sanitizes these details before they reach the client or logs.
Can middleBrick detect Firestore token leakage in my existing application?
Yes, middleBrick can detect Firestore token leakage by scanning your Firestore endpoint and analyzing your security rules. The scanner tests for authentication bypass, data exposure, and enumeration vulnerabilities specific to Firestore's architecture. It also examines your OpenAPI/Swagger specifications to identify potential token leakage paths between your REST API and Firestore backend. The scan takes 5-15 seconds and provides a security risk score with prioritized findings and remediation guidance.

Related Pages

Token Leakage in APIsToken leakage exposes authentication credentials in API responses, enabling account takeover and data breaches. Learn hoToken Leakage with Basic AuthLearn how Basic Auth credentials leak through logs, error responses, and client storage, plus specific detection methodsToken Leakage with Api KeysAPI key token leakage exposes credentials through client-side code, logs, and misconfiguration. Learn detection methods Token Leakage with Bearer TokensLearn how Bearer Tokens are vulnerable to token leakage through XSS, URL exposure, CORS misconfigurations, and improper Gdpr: Token LeakageLearn how token leakage creates GDPR risks, how middleBrick detects exposed tokens in API responses, and how to remediatIso 27001: Token LeakageLearn how ISO 27001 applies to token leakage in APIs, detection methods, and remediation strategies with code examples. Cis: Token LeakageLearn how cis patterns cause token leakage in APIs, detection via black-box scanning, and code-level fixes to prevent exHipaa: Token LeakageLearn how token leakage leads to HIPAA violations in health APIs, with detection methods and code-specific fixes for JavToken Leakage in Aspnet with FirestoreLearn how token leakage occurs in ASP.NET apps using Firestore, and apply concrete code fixes to protect credentials andToken Leakage in Actix with FirestoreToken leakage in Actix with Firestore: causes and secure handler patterns using Firestore client best practices.Token Leakage in Adonisjs with FirestoreToken leakage in AdonisJS with Firestore: causes, secure initialization patterns, Firestore rules, and remediation guidaToken Leakage in Axum with FirestoreUnderstand token leakage risks when using Axum with Firestore, and apply concrete Rust code fixes to keep tokens out of