
There are over 100k firebase authentication files on public GitHub repos - stackola
Exibit A: https:&#x2F;&#x2F;github.com&#x2F;search?q=filename%3Agoogle-services.json&amp;type=Code<p>also amusing:
https:&#x2F;&#x2F;github.com&#x2F;search?q=%22delete+google-services.json%22&amp;type=Commits
======
rvnx
Embedding Firebase and running client-side operations is the concept of
Firebase itself, you create an API key for your app and put it in google-
services.json. It's a public+non-secret file.

~~~
stackola
Yes you're right, I was under the impression those were more confidential.
Still, having 100k firestore url's can't be good, given how hard is is to
correctly secure firestore. Also using similar queries, you can try looking
for the definitely-not-public serviceAccountKey.json

------
villgax
This literally comes with every website using Firebase with the configuration
in the Javascript, what's you point?

~~~
stackola
Take there 800 admin service account keys instead

[https://github.com/search?q=filename%3AserviceAccountKey.jso...](https://github.com/search?q=filename%3AserviceAccountKey.json)

~~~
villgax
Yep, this is bad though.

------
infinii
It's hard to avoid. My project has a firebaseConfig.js.sample file committed
as a reminder to the deployer, they need to create their own. And I put
firebaseConfig.js into .gitignore in case a developer is careless.

------
happppy
exposed .env files. First result, lol
[https://github.com/DennisIrimu/instagram/blob/d49ea53281904c...](https://github.com/DennisIrimu/instagram/blob/d49ea53281904c477afe37b0c5321ecb5f087576/.env)

~~~
quickthrower2
I’d love to try it out but don’t want to get in trouble!

