What does Securisky scan?

Securisky scans your live deployed app across 6 categories: security (API key exposure, CORS, headers, Firebase/Supabase misconfiguration), SEO, UX, performance, accessibility, and conversion rate optimization. Results arrive in under 2 minutes.

Yes. The free plan includes 3 scans per month with a full security grade (A–F), top findings, and one AI fix prompt. No credit card required.

Does Securisky work with apps built with Cursor, Lovable, or Bolt?

Yes. Securisky is specifically designed for vibe-coded apps built with AI tools like Cursor, Lovable, Bolt, v0, and Replit. These apps commonly have exposed API keys, disabled database security rules, and missing security headers — all of which Securisky detects automatically.

How does Securisky fix security issues?

For every issue found, Securisky generates an AI-ready fix prompt that you can paste directly into Cursor, Claude, or ChatGPT. It also provides ready-to-use code snippets in TypeScript, SQL, and JSON.

What is a security grade?

Securisky assigns a letter grade (A to F) and a score from 0 to 100 based on findings across security, SEO, UX, performance, accessibility and conversion. Grade A means 90+, Grade F means below 40.

Security Guides

Firebase Admin SDK Leaks: How Service Account Keys End Up in Public Repos

SecuriSky TeamApril 18, 202612 min read

Introduction to Firebase Admin SDK Leaks

Firebase Admin SDK leaks are a common security issue affecting many vibe-coded applications built with tools like Cursor, Lovable, Bolt, v0, or Replit. These leaks occur when service account keys are accidentally exposed in public repositories, allowing unauthorized access to sensitive data. The question is: how do these leaks happen in the first place? The answer lies in the way developers handle service account keys in their code.

When using the Firebase Admin SDK, developers need to authenticate their service accounts using private key files. These key files are used to generate tokens that grant access to Firebase services. However, when these key files are committed to public repositories, they can be accessed by anyone, leading to unauthorized access and potential data breaches.

Causes of Firebase Admin SDK Leaks

There are several ways service account keys can end up in public repositories. One common mistake is committing the key file to the repository using git add and git commit commands. For example:

git add firebase-service-account-key.json git commit -m "Added service account key"

This will commit the key file to the repository, making it accessible to anyone with access to the repository.

Another common mistake is hardcoding the service account key in the code. For example:

const admin = require('firebase-admin');
admin.initializeApp({
  credential: admin.credential.cert({
    type: 'service_account',
    project_id: 'your-project-id',
    private_key_id: 'your-private-key-id',
    private_key: 'your-private-key',
    client_email: 'your-client-email',
    client_id: 'your-client-id',
    auth_uri: 'https://accounts.google.com/o/oauth2/auth',
    token_uri: 'https://oauth2.googleapis.com/token',
  }),
});

This code hardcodes the service account key, making it easy to access the key by simply reading the code.

Consequences of Firebase Admin SDK Leaks

The consequences of exposing service account keys can be severe. Unauthorized access to sensitive data, data breaches, and financial losses are just a few of the potential consequences. Additionally, exposing service account keys can also lead to reputational damage and loss of customer trust.

To mitigate these risks, it's essential to handle service account keys securely. One way to do this is by using environment variables to store the key. For example:

import os
from firebase_admin import credentials, firestore

cred = credentials.Certificate({
    'type': 'service_account',
    'project_id': os.environ['PROJECT_ID'],
    'private_key_id': os.environ['PRIVATE_KEY_ID'],
    'private_key': os.environ['PRIVATE_KEY'],
    'client_email': os.environ['CLIENT_EMAIL'],
    'client_id': os.environ['CLIENT_ID'],
    'auth_uri': 'https://accounts.google.com/o/oauth2/auth',
    'token_uri': 'https://oauth2.googleapis.com/token',
})

firebase_admin.initialize_app(cred)

This code uses environment variables to store the service account key, making it more secure than hardcoding the key.

Best Practices for Preventing Firebase Admin SDK Leaks

To prevent Firebase Admin SDK leaks, follow these best practices:

* Use environment variables to store service account keys

* Use a secrets manager to securely store and manage service account keys

* Avoid hardcoding service account keys in code

* Use a secure method to authenticate service accounts, such as using a private key file stored securely

By following these best practices, you can reduce the risk of exposing service account keys and prevent Firebase Admin SDK leaks. Tools like SecuriSky can also help detect these issues automatically, providing an additional layer of security for your vibe-coded apps.

Detecting Firebase Admin SDK Leaks

Detecting Firebase Admin SDK leaks can be challenging, but there are tools available to help. SecuriSky, a security scanner for AI-built apps, can detect potential security issues, including Firebase Admin SDK leaks. By using SecuriSky, you can identify and fix security vulnerabilities before they become major issues.

Quick Fix Checklist

[ ] Use environment variables to store service account keys

[ ] Avoid hardcoding service account keys in code

[ ] Use a secrets manager to securely store and manage service account keys

[ ] Use a secure method to authenticate service accounts, such as using a private key file stored securely

[ ] Regularly review code for potential security issues, including Firebase Admin SDK leaks

[ ] Use a security scanner, such as SecuriSky, to detect potential security issues automatically

Try it free

Scan your app for these issues now

Paste your URL and get a full security, performance, and SEO report in under 2 minutes — no signup required.

Run a free scan

Security

AI App Security Scanner

Compare

Securisky vs Snyk

Pricing

Plans & Pricing

Back to Blog