Breach report
Chat & Ask AI: 300 million messages readable by anyone with the project URL
What happened
Chat & Ask AI, a popular assistant app from developer Codeway, exposed approximately 300 million messages tied to 25 million users (the app has over 50 million total users). A researcher was able to read user files containing entire chat histories, the models used, and other settings. The exposure also reached data from other Codeway apps. The cause was a Firebase misconfiguration: Security Rules set to public. As Malwarebytes described it, that setting "allows anyone with the project URL to read, modify, or delete data without authentication." Reported February 9, 2026, Codeway said it resolved the issue across all of its apps within hours of disclosure. Notably, the researcher found 103 of 200 iOS apps scanned had the same problem, exposing tens of millions of stored files collectively.
Root cause
Firebase ships with rules that decide who can read and write each path. Setting them to public — a common shortcut during development — turns the backend into an open database keyed only by a URL that ships inside the app. The client worked perfectly; the invariant "only the owning user can read their own chats" was simply never enforced server-side. Because the same template was reused across many apps, one insecure default multiplied into a fleet-wide exposure.
How it would have been caught
A test that connects to the Firebase project with no authentication and attempts to read another user's document, then asserts the read is denied, flips red instantly against public rules. So would a rules-linter in CI that fails the build if any rule evaluates to allow read/write: if true. The reproduction is a single unauthenticated read against the project URL that already ships in the binary.
How to prevent it
- Write Firebase Security Rules that scope every document to
request.auth.uid, deny by default, and are covered by the Firebase Rules unit-test emulator. - Assume the project URL and config are public — they are embedded in the client — and design so that leaks nothing.
- Add a CI gate that rejects
if truerules; never ship development-mode rules to production.
The Breachwire test (red → green)
Using the project config extracted from the app and no login, read another user's chat document and confirm it returns the messages — the RED proof the database is world-readable. Replace the rules with owner-scoped, deny-by-default policies, then confirm the same unauthenticated read is denied, while the document's owner still reads it when signed in.