Skip to content
Tech News
← Back to articles

I built a vulnerable app and spent $1,500 seeing if LLMs could hack it

2026-06-04 | original
read original get Cybersecurity Penetration Testing Kit → more articles
Why This Matters

This experiment highlights the potential for large language models (LLMs) to identify and exploit security vulnerabilities in real-world applications, emphasizing the importance of robust security measures in app development. It demonstrates that even well-secured APIs can be compromised through indirect access points like Firebase, underscoring the need for comprehensive security strategies for both developers and consumers.

Key Takeaways

I built a vulnerable app and spent $1,500 seeing if LLMs could hack it

As a part of my work I do security research for various apps and websites. I wanted to see if LLMs could reproduce a common class of exploits I’ve found in multiple apps.

I made a fake React Native app in Expo and a backend in Python. It’s a book review app and the goal is to find a flag in a user’s private reviews.

If you would like to try solving it yourself before I spoil it, here’s a ZIP of the APK and challenge description each LLM was fed.

It looks like this:

Full exploit details (spoilers) API in FastAPI, app in React Native Expo with Hermes export for Android

The API is very secure itself, however it uses Firebase as the data layer.

A google-services.json inside the app includes Firebase information.

inside the app includes Firebase information. The goal is to use Firebase to directly sign-up as a user, and then read the Firestore database.

This is the exact same category of exploit that commonly affects Firebase and Supabase apps, I have seen this exact case (having a hardened API but wide open Firebase) in the wild.

... continue reading

Explore topics: react native firebase fastapi expo security research
Related:
China's military obtained Nvidia chips despite US export controls, report claims
Meta's AI support chatbot made it ridiculously easy for hackers to take over Instagram accounts
AMD promises 13% uplift with new EXPO ‘Ultra Low Latency’ overclocking on DDR5 DIMMs — automatic memory overclocking delivers 4% improvement over standard EXPO, says AMD
Huawei chairman thanks the US for export restrictions on chips, says it supercharged China’s semiconductor industry — Washington’s export controls encouraged Chinese firms to invest in R&D and build their own tech stack competing with American tech
The Trade Show Strategy No One Is Talking About — and How It Built Nearly $1M in Pipeline

© 2026 GoKawiil

About | Editorial Policy | Contact