Student finds major security flaw in AI hackathon’s application system

A University of Toronto student accidentally discovered a serious security vulnerability in a generative AI hackathon’s application system, highlighting persistent issues in web application security and Firebase configuration management. This security oversight allowed the student to bypass normal application procedures by manipulating database rules, demonstrating how even high-profile tech events remain susceptible to basic security flaws.

The discovery process: The vulnerability began with a password reset email that revealed inconsistencies in the hackathon’s branding and infrastructure.

• After receiving a reset email that oddly referenced “genai-hackathon-2024” despite the event being called “GenAI Genesis 2025,” the student investigated the site’s source code.
• The website relied on Firebase, a Google cloud service that simplifies app development but requires careful security configuration to prevent unauthorized access.
• The student discovered exposed Firebase configuration details in the site’s JavaScript files, providing direct database access credentials.

The exploit details: The vulnerability allowed complete circumvention of the application approval process through direct database manipulation.

• Using the exposed configuration details, the student gained direct read/write access to the site’s Firestore database using just a browser console.
• The security flaw enabled changing any user’s application status from “PENDING” to “ACCEPTED” with a simple database command.
• This vulnerability effectively let anyone approve their own application or manipulate other applicants’ data without any authorization checks.

The security implications: This incident highlights widespread but easily preventable security oversights in web application development.

• The hackathon site failed to implement proper Firebase security rules, which could have restricted database access to authorized administrators only.
• The exposure of configuration details in client-side JavaScript created a critical security hole that bypassed all intended authorization controls.
• Similar Firebase security misconfigurations remain common across web applications despite being well-documented and relatively simple to prevent.

The responsible disclosure: The student took appropriate ethical steps after discovering the vulnerability.

• After finding and documenting the issue, the student promptly reported it to the hackathon organizers through proper channels.
• The disclosure included comprehensive details about the vulnerability along with recommendations for fixing the security issues.
• The organizers acknowledged the report and presumably implemented fixes to secure their application system.

Why this matters: The incident demonstrates how even technical events focused on cutting-edge AI technology can overlook fundamental security practices.

• The security vulnerability was discovered in the application system for Canada’s largest AI hackathon, an event that ironically promotes technological advancement.
• This type of database misconfiguration remains persistently common despite being included in many security checklists and guidelines.
• The case serves as a reminder that attention to security basics remains essential even when working with advanced technologies like generative AI.