A security researcher spent $1,500 testing whether leading AI models could autonomously exploit a vulnerable Android application, finding that GPT-5.5 successfully hacked the app 70% of the time while most competing models failed completely. The experiment reveals significant variations in AI models' ability to identify and exploit security vulnerabilities without human guidance.
GPT-5.5 Demonstrates Strongest Autonomous Exploitation Capability
The researcher created a book review app with a critical Broken Access Control vulnerability. While the API was heavily secured, the application exposed Firebase credentials in its google-services.json file. The exploit required models to sign up as a user directly via Firebase, then read the Firestore database to access private reviews containing a hidden flag.
Across 10 full runs per model, GPT-5.5 achieved a 7/10 success rate at $9.46 per successful solve. Deepseek V4 Pro succeeded 3/10 times at just $0.62 per solve, while Claude Sonnet 4.6 and Claude Opus 4.8 each succeeded only 2/10 times, costing $45.75 and $16.15 per solve respectively.
Most Models Failed to Identify Firebase Vulnerability
Six models recorded zero successful exploits: Deepseek V4 Flash, Gemini 3.1 Pro Preview, Gemini 3.5 Flash, MiniMax M2.7, and Step 3.7 Flash. Gemini 3.1 Pro Preview refused the task immediately on security grounds, while other models struggled with strategic approach.
Successful models consistently "focused fully on Firebase after unzipping the APK," quickly identifying the direct database vulnerability. Failed attempts typically "never touched Firebase, focused only on the API or RN app" or mistakenly attempted using Firebase credentials against the hardened API instead of accessing the database directly.
Safety Guardrails Vary Significantly Across Providers
Claude Opus encountered "late refusals, not right off the bat," suggesting context-dependent safety mechanisms that evaluate requests after initial processing. In contrast, Gemini models refused immediately, implementing stricter upfront content filtering for security-related tasks.
The researcher expressed skepticism about the practical value of continuing such experiments, noting they should "stop wasting fucking money on doing stupid shit." The findings suggest that while frontier models demonstrate growing autonomous hacking capabilities, performance remains inconsistent and cost-prohibitive for practical red team applications.
Key Takeaways
- GPT-5.5 successfully exploited a vulnerable app 7 out of 10 times, costing $9.46 per successful hack
- Deepseek V4 Pro achieved 3/10 success rate at just $0.62 per solve, the most cost-effective option
- Six models including all Gemini variants recorded zero successful exploits across 10 attempts each
- Successful models immediately focused on Firebase credentials after analyzing the APK, while failed attempts targeted the hardened API
- Total research cost exceeded $1,500 across multiple model providers and 10 runs per model