Skip to main content
Firebase Security Guide
Q&AFirebase

Can Firebase apps be hacked?

Firebase apps can be compromised if security rules are misconfigured, which is a widespread issue. Since Firebase configuration including the API key and project ID is embedded in client-side code, attackers can discover your project details and interact with your database directly using the Firebase SDK or REST API. Without proper security rules, an attacker can read all user data, modify records, or delete entire collections. Insecure Cloud Functions can also be exploited if they lack proper input validation or authentication. UNPWNED identifies these vulnerabilities by testing your Firebase endpoints for unauthorized access patterns.

Check your Firebase app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

Is the Firebase API key a secret?How secure is Firebase Authentication?

More Firebase Security Questions

Are Firebase Security Rules secure by default?Is the Firebase API key a secret?How do I secure Firestore properly?How do Firebase Storage Security Rules work?How secure is Firebase Authentication?How can I test Firebase Security Rules?