Firebase is a mobile and web application development platform provided by Google. One of the tools available for the platform is the Firebase CLI tool (GitHub repo) which helps developers interact with the platform from command line. An automatic install script is offered among other options, which allows installation of the CLI tool via the “curl | bash” pattern as follows:
curl -sL https://firebase.tools | bash
As part of our ongoing research into supply chain attacks, we have been looking into bash installer scripts that make calls to external systems. First, there is no way to verify that the installer is legit, However, to our surprise, we also found that this script makes calls to Google Analytics as part of the installation process. There is no sensitive data being collected but Google may still be collecting IP addresses of users installing the CLI. The source code for the installer script can be found here:
While this can be disabled, the documentation to do so is hard to find and is embedded within the installer script itself. We hope that Google will make this documentation more clear in the future. In any case, here is the documentation:
The actual code that makes these calls can be found here:
And here are all the analytics events triggered within the script:
send_analytics_event start
...
send_analytics_event uninstall_npm
...
send_analytics_event uninstall
...
send_analytics_event already_installed
...
send_analytics_event upgrade
...
send_analytics_event "missing_platform_$UNAME"
...
send_analytics_event failure
...
send_analytics_event missing_path
...
send_analytics_event success
Related Posts
Recent Posts
- CVE-2024-57823 – Raptor Turtle Parser Integer Underflow Vulnerability
- CVE-2024-57822 – Raptor RDF Syntax Library Heap-Based Buffer Over-Read Vulnerability
- CVE-2025-23016 – FastCGI fcgi2 Buffer Overflow
- CVE-2025-21380 – Azure SaaS Resource Authentication Bypass
- CVE-2025-21385 – Microsoft Purview SSRF