Yes, there is still a way!
Recently my team was working on an application running on firebase. It is not possible to use burp suite as the entire application is based on firebase real-time functions using js only and there were issues intercepting the traffic.
It was difficult to actually test anything apart from reviewing the firewall configurations. We never send our customers a blank security assessment report. Though we were able to find multiple privilege escalation vulnerabilities, there is still some high risk missing.
The application was missing a registration form as a part of the requirement. Upon going through the documentation of firebase, realized that it was possible to register a user using the API. We later were able achieve a complete take over the database to make a READ, WRITE, UPDATE and DELETE operation on the firestore with only read access officially on it.
- Make sure you always write an explicit function to check if no one is registered.
- Don't use authentication at all if you don't want to allow new registration.
PS: This vulnerability is not widely known in the community. We work hard on research and find new ways to hack in. 3:)
You can always get in touch with me on linkedin