Mayor
190 posts
Mayor
@techmayorr
Software engineer, accidentally a designer too. Building useful products for 7+ years - Flutter | Rust
Katılım Eylül 2019
778 Takip Edilen1.1K Takipçiler
I wrote up a postmortem about what happened:
ulusoyca.medium.com/how-a-two-year…
In April my @FlutterDev + @Firebase app was on stage at the Google Cloud Next Developer Keynote. Three weeks later a bot drained €3,167 from the same project overnight and got it suspended by Google.
All resolved now — suspension lifted, app back online, billing reviewed.
I am sharing the full postmortem because it can be helpful to a lot of indie devs. Thanks to @puf and the Firebase team @sgnagnarella @Thevi_S for their support on diagnosis!
Cagatay Ulusoy@ulusoyapps
The GCP project of my @FlutterDev @Firebase app got suspended this weekend for abuse, after a single day of €3,167 in unauthorized Gemini API charges. The root cause turned out to be a #Firebase Hosting default that is hard to know about. Worth sharing what I learned.
I thought the Firebase and Google Cloud project was clean and safe. Client uses Firebase AI Logic (proxy, no on-device Gemini key) with App Check via Play Integrity / App Attest.
The suspension email said "key published on public sources." But: my GitHub repo is private and was never public. flutter build web was never run for this project. Where was the leak surface?
Google AI Studio showed three Gemini-callable keys. Two tight (server-side). One was a "Browser key (auto created by Firebase)" — Unrestricted, since Nov 2024. That was the web app in my generated firebase_options.dart, from when I configured Flutter web at project init.
Here's the part I didn't know about: Firebase Hosting auto-serves your web SDK config at a reserved URL — https://
English
@ulusoyapps @FlutterDev @Firebase This is one of my concern when calling an agent directly from the client side
English
The GCP project of my @FlutterDev @Firebase app got suspended this weekend for abuse, after a single day of €3,167 in unauthorized Gemini API charges. The root cause turned out to be a #Firebase Hosting default that is hard to know about. Worth sharing what I learned.
I thought the Firebase and Google Cloud project was clean and safe. Client uses Firebase AI Logic (proxy, no on-device Gemini key) with App Check via Play Integrity / App Attest.
The suspension email said "key published on public sources." But: my GitHub repo is private and was never public. flutter build web was never run for this project. Where was the leak surface?
Google AI Studio showed three Gemini-callable keys. Two tight (server-side). One was a "Browser key (auto created by Firebase)" — Unrestricted, since Nov 2024. That was the web app in my generated firebase_options.dart, from when I configured Flutter web at project init.
Here's the part I didn't know about: Firebase Hosting auto-serves your web SDK config at a reserved URL — https://.web.app/__/firebase/init.json — as plain JSON, unauthenticated, to anyone. It includes apiKey, appId, projectId, authDomain.
This endpoint is active whenever you have (a) a registered web app in Firebase Console + (b) any Hosting deploy. Contents of the deployed site are irrelevant. Mine was a simple CSS landing page that doesn't reference Firebase JS SDK at all. Endpoint leaked the key anyway.
Bots scrape *.web.app/__/firebase/init.json because the pattern is universal across every Firebase project. Mine got picked up, the key was Unrestricted (= usable for any enabled API), and someone burned €3K of Gemini inference in a few hours.
Project reinstated after appeal; outstanding balance still in review.
Lessons I missed:
- Auto-generated browser keys are Unrestricted by default (at least the time project was created). Always add HTTP referrer + API restrictions at creation.
- Don't register a web app unless you use the JS SDK.
- Set a Gemini spend cap + budget alert. €100/day cap. You can easily do this in Google AI Studio
What I would ask the Firebase team:
— Browser keys should default to restricted (HTTP referrer to project domains, API restriction to Firebase services) -> not sure this has changed after the date I created the project.
— Reserved __/firebase/init.json should be opt-in. Static websites hosted with Firebase Web hosting do not need the API key info.
— Firebase Console should warn when a key has been Unrestricted for >N days. Google AI Studio warns when you visit API keys page, but it should be visible on homepage.
— Default-on spend caps for Generative Language API.
TLDR; "Private repo" is not a meaningful security boundary when the key has another publicly-reachable surface. Audit not just your code, but every endpoint your project ID exposes including the ones the platform creates for you without telling you. Always manually verify API restrictions.
English
Mayor retweetledi
Mayor retweetledi
Introducing Agent Skills for Flutter and Dart to give your AI tools domain-specific expertise 📓
These initial core Skills are designed to handle the most common Flutter development hurdles. Learn how to start using them in your workflow → goo.gle/4uBRR6M
GIF
English
@Yohanansoltd Claude doesn’t create the exact site to avoid copyright, a better approach would be - go to developer tools -> inspect elements, click on the section you want, then copy elements, this way you can combine multiple sections to make your site unique.
English
To solve this
1. Ensure you have a type scale
2. Use 1-2 type faces
3. Use a basic design system , you don’t need it to be robust ( it should contain , borders , color, scales , states etc).
4. Look for a good reference website , send link to claude to inspect it and fetch you its data.
Dennis Obaro the UI/UX KING@thedennisobaro1
If your vibe coded website looks vibe coded then you did a bad job.
English
@techmayorr @benjitaylor This looks really coool. I will try it out.
English
Rebuilt agentation by @benjitaylor in Flutter.
Basically, you click on widgets, add notes, and copy markdown. Paste the output into Claude Code, Codex, or any AI tool. Genuinely useful so far.
#Flutter
Link below ↓
English
@akinkunmi With right architecture setup, features gating at the end, most cases for personal projects we figure things out as we build, so deciding the free vs paid features comes towards the end. what’s your approach?
English
One of the things I like about software development is that you only need one or two sentences for people to see that you have no idea what you're talking about.
Smart👨💻 | Software Engineer@smartnakamoura
A Nigerian fintech just lost ₦20 million to a fake webhook. Attacker didn’t hack anything. They just POSTed this to the endpoint: { "event": "transfer.success", "amount": 500000, "status": "success" } Backend credited the user. Zero money moved. This is happening more in crypto payments too. What every backend dev must do in 2026: 1. Verify webhook signature + IP + timestamp (not just event name). 2. Never credit on webhook alone always confirm on-chain + NIBSS. 3. Add rate limiting and replay attack protection. 4. Reconcile every stablecoin inflow against blockchain truth. Crypto rails move fast. One lazy endpoint and you’re done. Save this like your production depends on it. Drop your worst webhook horror story 👇
English
Everyone discussing the red vs blue button dilemma, and I find it interesting.
When I first heard it, I thought "obviously blue". Then after reading comments it does logically make sense to pick red.
The issue lies with not knowing what everyone else is thinking.
English
i started this project in march, i gave myself a couple days to ship. my thinking was i have ai, that guy will figure it out, how hard can it be but the day came and i had nothing i wanted to ship. being a designer doesn't help. i will always keep filing until polish is achieved
now it's april and i've pivoted direction more times than i planned. most of my problems came from unintentionally tryin to outsource my thinking to ai.
in hindsight, that's like shooting myself in the foot.
The project is finally here! At least MVP version.
Court Atlas started as globe first, directory of names and addresses. today i've reframed the product to a guide book for tennis enthusiasts who ask "I'm here, how do I actually play?"
enjoy: court-atlas.vercel.app
share all the bugs and suggestions :)
lotamchi@lottabydesign
spent an unreasonable amount of time obsessing how and what court meta data will be visualised in the gallery. settled on surface type for now, using visual encoding and linear interpolation. even though i can't 100% verify these surface type counts for most cities, i'm enjoyin the process of crafting and polishin this bit
English
Bugs were already unavoidable. AI made them worse.
Most engineers are shipping faster with AI, but debugging slower with it too.
Because when the AI writes the code, you skip the part of your brain that would've caught the bug as you typed.
So I wrote down the exact playbook I use to debug AI-assisted apps:
Mayor@techmayorr
English
Mayor retweetledi
Every single person coding with AI right now:
> Get an idea at 11 PM.
> Build the entire app with Claude by 3 AM.
> Realize you actually have to talk to
humans to get sales.
> Panic and start a new project to avoid marketing.
Can we coin a term for whatever mental illness this is? 😭
English