Leaking Loudly: Public Backups, Posts, and PII from Fizz’s CDN

Keegan Curran

2 min read

⚠️ Note on Redaction & Intent

All personal and confidential information has been redacted from any screenshots or data.
All data described here was publicly accessible without login or authorization at the time of discovery.
This write-up is brief and intended primarily as a public record, not a technical walkthrough.

📅 Discovery Context

In March 2024, while working on a Python wrapper for the Fizz social media API, I noticed something had changed: the app had shifted from using a xyz.firebaseapp.com CDN to a direct public-facing URL.

That kind of infrastructure transition is often ripe for misconfigurations, so I did what any curious security researcher would do—checked the base directory of the CDN.

What I found wasn’t just misconfigured.

It was wide open.

🔍 What Was Exposed

Upon browsing to the CDN’s root, I was met with a basic index view containing multiple folders. Three in particular stood out immediately:

  • backups/
  • posts/
  • comments/

Navigating into /backups revealed daily JSON-formatted exports of user data, publicly accessible to anyone on the internet. These files included:

  • Full user profiles
  • Email addresses
  • Phone numbers
  • User IDs

This was essentially a snapshot of the user database—just sitting on the open internet.

But it didn’t stop there.

🔗 Linking Users to Content

Using the contents of /posts and /comments, which mirrored Firebase-style JSON exports, I could reasonably correlate user IDs found in the backups with their post and comment histories.

To test accuracy, I cross-referenced data associated with my own account and friends who gave consent. The result?

Approximately 95% accuracy in reconstructing identifiable post histories.

The data format wasn’t elegant, but it didn’t need to be. With just basic parsing, Fizz users could be linked to their private content.

👀 Additional Findings

Beyond personal data, the exposed CDN also contained:

  • Moderator activity logs
  • Rulesets for moderation actions
  • Evidence of in-development features

This wasn't just a leak—it was a full administrative window into the inner workings of the platform.

📜 Fizz’s History With Leaks

This wasn’t the first time Fizz had suffered from exposed user data. A previous incident in November 2021 was documented by the Stanford Daily:

📄 Fizz previously compromised its users’ privacy. It may do so again. – The Stanford Daily

That pattern—along with the severity of this discovery—reinforced a personal decision I made shortly after disclosure.

✅ Response and Aftermath

The vulnerability was reported and remediated within 24 hours, which was commendable. That said, the fact that this data was ever public at all left me deeply uneasy.

For that reason, I’ve chosen:

  • Not to work with Fizz again
  • To avoid using the application personally
  • To forgo a full technical scorecard or rating

Sometimes, the security posture of an app isn’t just about fixing bugs—it’s about trust. And in this case, mine is gone.

🔐 Final Thoughts

CDN misconfigurations may seem mundane, but when they expose millions of users' private information, they become critical infrastructure failures.

If you manage public-facing storage for a platform—even a small one—ensure:

  • Indexing is disabled
  • Authorization checks protect sensitive folders
  • Daily backups are never public by default

Security isn’t just a feature. For social apps, it’s the foundation of trust.

This post reflects my personal findings and opinions. All sensitive information has been redacted, and no unauthorized access was used or attempted. This disclosure was conducted ethically and independently.

Read more