Yes, there is still a way! 

Recently my team was working on an application running on firebase. It is not possible to use burp suite as the entire application is based on firebase real-time functions using js only and there were issues intercepting the traffic.

It was difficult to actually test anything apart from reviewing the firewall configurations. We never send our customers a blank security assessment report. Though we were able to find multiple privilege escalation vulnerabilities, there is still some high risk missing.

The application was missing a registration form as a part of the requirement. Upon going through the documentation of firebase, realized that it was possible to register a user using the API. We later were able achieve a complete take over the database to make a READ, WRITE, UPDATE and DELETE operation on the firestore with only read access officially on it.

Remediation:

  • Make sure you always write an explicit function to check if no one is registered.
  • Don't use authentication at all if you don't want to allow new registration.

PS: This vulnerability is not widely known in the community. We work hard on research and find new ways to hack in. 3:) 

You can always get in touch with me on linkedin