Background
In mid-2018, Appthority released a report detailing a vulnerability in Google's firebase.io, a database backend used by thousands of mobile apps.
Details
Potentially sensitive data is available via accessing URLs of the form https://<APPNAME>.firebaseio.com/.json. By so doing, you can gain access to all unprotected data in that particular database. If your organization develops and/or deploys mobile apps, you should check to see whether they are using FireBase, and if so, whether any data is being exposed.
One quick way to do this:
wget https://appname.firebaseio.com/.json;cat .json |python -m json.tool
The above command will grab the contents from the appropriate URL, and pretty-print it using Python’s json.tool module.
You can also quickly check to see whether the data exists thusly:
curl -sL -w "%{http_code} %{url_effective}\\n" "https://appname.firebaseio.com/.json" -o /dev/null
This will return the HTTP response code followed by the URL. 200 indicates the data is present, and 404 tells you there’s nothing there.