Firebase says that my rules are insecure, why?

Question

I have received an email from Firebase advising me that my security rules are insecure citing: Any user can read/write to your database.

How can this be, I have specified .read and .write rules below. What am I missing? any help would be much appreciated.

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null",
      "venues-location": {
        ".indexOn": "g"
    },
      "users-compliments": {
        "$uid":{
          "$uid":{
            ".indexOn": ".value"
          }
        }
    },
      "users-invites": {
        "$uid":{
          "$uid":{
            ".indexOn": ".value"
          }
        }
    },
    "users-location": {
        ".indexOn": "g"
    }
  }
}

Answer 1

".read": "auth != null",

".write": "auth != null",

These above rules are default rules. According to firebase documentation They allow full read and write access to authenticated users of your app. They are useful if you want data open to all users of your app but don't want it open to the world

It is essential that you configure these rules correctly before launching your app to ensure that your users can only access the data that they are supposed to.

{
  "rules": {
    "foo": {
      ".read": true,
      ".write": false
    }
  }
}

Here's an example of a rule that grants write access for authenticated users to /users//, where is the ID of the user obtained through Firebase Authentication.

{
  "rules": {
    "users": {
      "$uid": {
        ".write": "$uid === auth.uid"
      }
    }
  }
}

Answer 2

"auth != null" is not enough. It means anyone who is authenticated can read/write to another user's data. You probably want to add something like: ".write": "auth.uid == $uid" under the $uid nodes. to only allow the authenticated user to access their own data and not another user's.