An investigation by the firm RedAccess has found more than 5,000 applications created with tools vibe coding which practically lack authentication. Anyone who stumbles upon its URL can enter. Of those 5,000, 2,000 appeared to contain private data upon inspection.
The finding covers apps generated with Lovable, Replit, Base44 and Netlify, four of the platforms that have most popularized describing a program with words and letting a LLM write it.
Why is it important. The promise of vibe coding is that anyone, without knowing how to program, can build software. The catch is that this same “anyone” also doesn’t know what questions to ask an application before releasing it on the Internet.
The result is a new category of breaches caused not by careless employees or advanced attackers, but by people who have thrown together an internal tool in an afternoon without going through anyone on the security team.
In detail. Researchers have located these applications by doing normal searches on Google and Bing, combining the domains of each platform with generic terms. Nothing of hacking: It’s more like reverse engineering a search engine.
What appeared behind those URLs included hospital quadrants with doctor data, company strategy presentations, complete records of chatbot conversations with customers (with names and telephone numbers), and freight books from transport companies. In some cases, access even allowed them to gain administrator privileges and expel others.
Between the lines. The platforms involved have responded with the predictable argument: it is the user’s fault. Replit remembers that its apps can be marked as private with one click. Base44 maintains that its access controls are robust and that disabling them is a conscious decision. Lovable points out that its role is to provide tools, not configure them for anyone.
It is a valid argument and, above all, comfortable. It is also the same one that Amazon used with the buckets Misconfigured S3 leaking Verizon data or from WWE: the setting was there, but the user didn’t find it.
The context. He vibe coding takes an old problem to a new level. Every time a layer of abstraction has democratized a craft (like spreadsheets, the wrappers of AI or web templates), the newly arrived group has arrived without the baggage of good practices that the previous one had.
What changes now is the speed. Someone from a non-technical department can create a tool in two minutes and upload it to production without it going through IT.
Yes, but. The AI models that generate the code are not neutral agents. They do what is asked of them, no more, no less. If no one tells them “protect this in X way and implement Y,” they won’t do it. Security by default is still not a learned behavior in most of these tools, and that is a design decision of the platforms, not the end user.
The consequence is foreseeable. There are going to be many more leaks like the ones RedAccess has caught before the industry internalizes that a “publish” button should not coexist with a privacy setting hidden three menus below.
Featured image | Xataka
GIPHY App Key not set. Please check settings