There are over 100k firebase authentication files on public GitHub repos

Exibit A: https://github.com/search?q=filename%3Agoogle-services.json&type=Code

also amusing: https://github.com/search?q=%22delete+google-services.json%22&type=Commits

11 points | by stackola 1900 days ago

4 comments

  • rvnx 1900 days ago
    Embedding Firebase and running client-side operations is the concept of Firebase itself, you create an API key for your app and put it in google-services.json. It's a public+non-secret file.
    • stackola 1900 days ago
      Yes you're right, I was under the impression those were more confidential. Still, having 100k firestore url's can't be good, given how hard is is to correctly secure firestore. Also using similar queries, you can try looking for the definitely-not-public serviceAccountKey.json
  • villgax 1900 days ago
    This literally comes with every website using Firebase with the configuration in the Javascript, what's you point?
  • infinii 1898 days ago
    It's hard to avoid. My project has a firebaseConfig.js.sample file committed as a reminder to the deployer, they need to create their own. And I put firebaseConfig.js into .gitignore in case a developer is careless.
  • happppy 1899 days ago
    • quickthrower2 1898 days ago
      I’d love to try it out but don’t want to get in trouble!