SShortSingh.
Back to feed

Internal Firebase panel had hardcoded credentials granting all visitors full database access

0
·1 views

A routine security review of an internal management tool called PanelControl uncovered two critical flaws: a debug leftover made the admin password check always pass, and hardcoded Firebase credentials in the public JavaScript bundle automatically authenticated every site visitor with full read/write database access. The login form operators used daily was effectively just a visual filter, offering no real protection at the database level. Because a single shared Firebase identity was used for all visitors, the platform's database rules could not distinguish legitimate operators from anyone who loaded the page. The fix was rolled out in five phases without locking out the team, moving credential verification to a server-side Netlify Function that issues custom tokens tied to each operator's real identity. Database rules were updated to check operator-specific claims from those tokens, replacing the single shared account that had left the system exposed.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Developer Completes Cyber Security 101 Learning Path on TryHackMe

A developer named Ahmed Al-Diab has completed the Cyber Security 101 learning path on TryHackMe, an online cybersecurity training platform. The achievement was shared publicly on DEV Community along with a verifiable certificate link. TryHackMe offers structured learning paths designed to build foundational skills in cybersecurity. The Cyber Security 101 path is aimed at beginners looking to establish core knowledge in the field. Ahmed also shared the milestone on his LinkedIn profile, highlighting his professional development in cybersecurity.

0
ProgrammingDEV Community ·

Developer Launches Browser-Based AI Tool to Remove and Replace Video Backgrounds

A developer has launched bgchanger.video, a browser-based AI tool that removes or replaces video backgrounds without requiring heavy editing software. The tool allows users to upload a video, strip its background, and export the result in multiple formats including MP4, WebM, MOV, MKV, and GIF. It is designed for creators, marketers, and product teams who need quick background cleanup for demos, social media clips, and ad creatives. The current version supports transparent background export and solid color replacement, with original audio preserved. The developer is actively seeking user feedback on potential features such as custom background uploads, templates, and batch processing.

0
ProgrammingDEV Community ·

How Runtime Policy Layers Can Prevent AI Agents from Executing Harmful Actions

As AI agents gain the ability to call tools, write records, send emails, and trigger workflows, developers face a growing risk of unintended production damage even without malicious intent. A runtime policy system acts as a deterministic checkpoint between the AI model and any real-world action it proposes. Unlike system prompts, which only guide behavior and can be bypassed, a runtime policy layer enforces hard rules by evaluating each proposed tool call before execution. The system can allow, deny, hold for human approval, or modify an action based on explicit criteria such as tenant identity, cost limits, and task context. Developers building agentic features are advised to wrap every proposed action in a server-owned envelope and route all tool calls through this gate rather than passing them directly to executors.

0
ProgrammingDEV Community ·

Google AI Studio's One-Click Export to Antigravity: What Works and What Doesn't

Google introduced an 'Export to Antigravity' feature at I/O 2026, promising a seamless one-click transfer of multi-agent AI Studio prototypes to a local development workspace. The export successfully carried over all project files and the Gemini API key, but conversation history did not transfer despite being explicitly listed in the export dialog. The exported project also contained a pre-existing code bug — an unsupported combination of tool use and forced JSON-mode output in the Gemini API — which was baked into AI Studio's generated code rather than caused by the export itself. The bug was resolved using Antigravity's built-in AI agent, which proposed and applied a fix across multiple files, allowing the two-agent Research Digest app to run successfully end to end. Developers are advised to manually back up conversation history, locate the exported project folder independently, and do a full test run before continuing to build on the exported code.