highExposed Secrets

Firebase Service Account Key Exposed in Client Code

What Is This Vulnerability?

Firebase Admin SDK service account credentials or private keys are included in client-side JavaScript or committed to a public repository. Unlike the Firebase client configuration (which is designed to be public), service account keys grant full administrative access to your Firebase project, including reading and writing all database records, managing users, and accessing Cloud Storage.

Why It Happens

Developers confuse the Firebase client config (which is safe to expose) with the Firebase Admin SDK service account key (which must stay private). Some tutorials mix client and server setup in the same file. Service account JSON files downloaded from the Firebase console are sometimes placed in the project root and committed by accident.

Example Code

Vulnerablefirebase-admin.ts
import admin from "firebase-admin";

admin.initializeApp({
  credential: admin.credential.cert({
    projectId: "my-app-12345",
    privateKey: "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIB...long-key...\n-----END RSA PRIVATE KEY-----\n",
    clientEmail: "firebase-adminsdk-abc@my-app-12345.iam.gserviceaccount.com",
  }),
});

export const db = admin.firestore();
Fixedfirebase-admin.ts
import admin from "firebase-admin";

admin.initializeApp({
  credential: admin.credential.cert({
    projectId: process.env.FIREBASE_PROJECT_ID,
    privateKey: process.env.FIREBASE_PRIVATE_KEY?.replace(/\\n/g, "\n"),
    clientEmail: process.env.FIREBASE_CLIENT_EMAIL,
  }),
});

export const db = admin.firestore();

How Hackers Exploit It

With a Firebase service account key, an attacker gains full admin access to the Firebase project. They can read and modify all Firestore and Realtime Database data, create and delete user accounts, access Cloud Storage files, and send push notifications. The service account often has permissions beyond Firebase, extending to other Google Cloud resources in the same project.

How to Fix It

Store service account credentials in environment variables or use Google Cloud's default application credentials. Never place the service account JSON file in your source tree. Add the JSON filename to .gitignore. For production, use workload identity federation or deploy to environments where credentials are provided automatically (Cloud Run, Cloud Functions).

Frequently Asked Questions

Is the Firebase client config (apiKey, authDomain) a security risk?
No. The Firebase client configuration is designed to be public. It identifies your project but does not grant access on its own. Security is enforced through Firebase Security Rules and authentication. The service account key is the sensitive credential that must be kept private.
How do I rotate a compromised Firebase service account key?
Go to the Firebase console, navigate to Project Settings, then Service Accounts, and generate a new private key. Delete the old key from the Google Cloud IAM console. Update your environment variables with the new key and redeploy your services.
Can I use Google Application Default Credentials instead?
Yes. On Google Cloud services (Cloud Run, Cloud Functions, GCE), the environment automatically provides credentials. Locally, run gcloud auth application-default login to set up credentials without a JSON key file. This is the recommended approach for most deployments.

Related Security Topics

AWS Access Keys Committed to Source Code

Learn about aws access keys committed to source code and how to fix it.

.env File Accessible Publicly or Committed to Git

Learn about .env file accessible publicly or committed to git and how to fix it.

Database Credentials Hardcoded in Application Source

Learn about database credentials hardcoded in application source and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by firebase service account key exposed in client code.