![security-medium](https://www.gstatic.com/codereviewagent/security-medium-priority.svg) ![medium](https://www.gstatic.com/codereviewagent/medium-priority.svg)

![security-medium](https://www.gstatic.com/codereviewagent/security-medium-priority.svg) ![medium](https://www.gstatic.com/codereviewagent/medium-priority.svg)

The security rules for the `usernames` collection do not prevent users from registering reserved usernames such as `admin`, `root`, or `support`. While the client-side code has a check, it can be bypassed by interacting directly with the Firestore API, allowing an attacker to impersonate official accounts.

_Originally posted by @gemini-code-assist[bot] in https://github.com/w3develops/w3Develops/pull/469#discussion_r2779374959_
            

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

![security-medium](https://www.gstatic.com/codereviewagent/security-medium-priority.svg) ![medium](https://www.gstatic.com/codereviewagent/medium-priority.svg) #478

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

![security-medium](https://www.gstatic.com/codereviewagent/security-medium-priority.svg) ![medium](https://www.gstatic.com/codereviewagent/medium-priority.svg) #478

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions