Internal Firebase panel had hardcoded credentials granting all visitors full database access
A routine security review of an internal management tool called PanelControl uncovered two critical flaws: a debug leftover made the admin password check always pass, and hardcoded Firebase credentials in the public JavaScript bundle automatically authenticated every site visitor with full read/write database access. The login form operators used daily was effectively just a visual filter, offering no real protection at the database level. Because a single shared Firebase identity was used for all visitors, the platform's database rules could not distinguish legitimate operators from anyone who loaded the page. The fix was rolled out in five phases without locking out the team, moving credential verification to a server-side Netlify Function that issues custom tokens tied to each operator's real identity. Database rules were updated to check operator-specific claims from those tokens, replacing the single shared account that had left the system exposed.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in