Leaked Firebase Admin SDK — bypasses every security rule you wrote

The Firebase Admin SDK grants full access to the project, bypassing every security rule. Worst-case credential for Firebase-backed apps.

The next 60 seconds matter

The attacker authenticates with the Admin SDK, reads every Firestore document, enumerates Auth users, modifies Realtime Database, sends arbitrary push notifications via FCM, and creates new admin users for persistence.

  • Dump every Firestore collection
  • List + impersonate Auth users
  • Read Realtime Database entirely
  • Send push notifications to your user base

Rotation playbook

  1. Google Cloud Console → IAM → Service Accounts → (firebase-adminsdk-*) → Keys → Delete leaked key
  2. Review Firestore + Auth audit logs in the past 24 hours
  3. If exfiltration detected: notify users per GDPR Art. 34 within 72 hours

Prevent the next one

  • Restrict Admin SDK usage to backend-only code paths; never in client bundles
  • Use Firebase App Check to require attested clients for direct Firebase access
  • Audit custom-claim grants — every elevated user is a credential
Pattern we scan for
JSON object with private_key_id, private_key, client_email (firebase-adminsdk-*)