[HN]score: 0.34

LLMs Tested Against Firebase Broken Access Control Exploit for $1,500

June 3, 2026

A security researcher built a deliberately vulnerable React Native/FastAPI app where the exploit involves extracting Firebase credentials from a bundled google-services.json and bypassing a hardened API by querying Firestore directly. The test evaluated whether LLMs could autonomously discover and execute this broken access control pattern, a class of vulnerability common in Firebase and Supabase deployments.

HOW THIS AFFECTS YOU

●

builderIf you ship mobile apps with Firebase or Supabase as a data layer, this highlights a specific credential-leakage vector in bundled config files that LLMs can now potentially automate exploitation of.

●

policyWorth watching because it provides empirical data on LLM autonomous offensive security capability against a real, common vulnerability class.

SOURCE

https://kasra.blog/blog/i-spent-1500-seeing-if-llms-could-hack-my-app/

← back to feed