Kasra Rahjerdi, a security researcher, spent $1,500 to test whether large language models (LLMs) could exploit vulnerabilities in a deliberately insecure app he built. The app, called BookNook, is a React Native Expo app with a Python backend designed to mimic a common security flaw found in Firebase and Supabase applications. Rahjerdi shared the app and challenge publicly on June 3, 2026, inviting others to try hacking it before revealing the results, according to kasra.blog.
Rahjerdi created the BookNook app with a FastAPI backend and used Firebase as the data layer. The app’s API was secure, but the Firebase configuration file included in the app allowed direct access to the Firestore database. The challenge was to sign up as a user via Firebase and read private user reviews, replicating a common exploit Rahjerdi has encountered in real-world apps. He documented the full exploit process and shared screenshots of the app’s interface on his blog.
This experiment highlights ongoing security risks in apps that rely on Firebase or Supabase without properly restricting database access. While hardened APIs can protect endpoints, exposed client-side configuration files can allow attackers to bypass protections. Rahjerdi’s work underscores the importance of securing backend data layers and the potential for AI tools like LLMs to identify vulnerabilities by analyzing app code and configurations.
Rahjerdi provided a ZIP file containing the APK and challenge description for public testing. His detailed blog post on June 3, 2026, includes the full exploit walkthrough and insights into how LLMs performed in this hacking challenge, offering valuable information for developers aiming to secure their Firebase-based applications.