Improper Access Control in juanchovelezpro/GestionGanadera

Valid
Reported on May 3rd 2021

✍️ Description

GestionGanadera is using a firebaseio database with unsecure read/write rules. https://gestionganadera-e6024.firebaseio.com/.json

🕵️‍♂️ Proof of Concept

Use https://github.com/MuhammadKhizerJaved/Insecure-Firebase-Exploit
Then visit https://gestionganadera-e6024.firebaseio.com/.json or https://gestionganadera-e6024.firebaseio.com/zer0h.json

💥 Impact

I can see some passwords but I can also overwrite your whole database. Please refer to https://firebase.google.com/docs/rules/insecure-rules?hl=en#open_access