ragidi
← back

How we hacked YC Spring 2025 batch's AI agents — Rene Brandel, Casco

Original: How we hacked YC Spring 2025 batch’s AI agents — Rene Brandel, Casco

2.5K views · Jul 30, 2025 · 17:32 min · Watch on YouTube ↗
Takeaway

Agents are users, not services — apply classic web-app authn/authz, IDOR mitigation and sandbox hardening downstream of the LLM, not at the prompt layer.

Summary

  • Casco (YC, AI agent red-teaming) hacked 7 of 16 YC Spring 2025 agents in 30 minutes each; landed second-highest upvoted YC launch ever
  • Issue 1 — Cross-user data access via IDOR: leaked system prompts revealed user-info-by-ID tools, IDs guessable from product demo URLs, opened up chats and documents across users
  • Issue 2 — Code execution sandbox escape: 'Python only / restricted files' guardrails bypassed by inverting system-prompt intent; innocent write-file + read-file permissions chained into arbitrary access
  • Fixes: agents act like users, not service accounts — enforce auth + authorization at downstream APIs (row-level security), never let LLM decide authorization, sanitize inputs/outputs
  • Argues most LLM security talk focuses on prompt injection but the real damage is conventional web-app security failures applied to LLM-driven request patterns
agent-securityprompt-injectionauthorization
Original description 
We hacked 7 of the16 publicly-accessible YC X25 AI agents. This allowed us to leak user data, execute code remotely, and take over databases. All within 30 minutes each. In this session, we'll walk through the common mistakes these companies made and how you can mitigate these security concerns before your agents put your business at risk.

Recorded at the AI Engineer World's Fair in San Francisco. Stay up to date on our upcoming events and content by joining our newsletter here: https://www.ai.engineer/newsletter

Timestamps:

00:00 Introduction to Casco and AI Agents
01:31 Evolution of Agent Stacks and Security Concerns
02:56 Why Casco Hacked AI Agents
04:00 Common Issue 1: Cross-User Data Access (IDOR)
07:38 Common Issue 2: Arbitrary Code Execution
12:38 Common Issue 3: Server-Side Request Forgery (SSRF)
14:48 Key Takeaways
15:28 Casco's Solution and Contact Information
15:56 Q&A