Read this before you vibe-code another app
- company Corridor
- company OpenAI
- company Privy
- company SentinelOne
- person Bob Starr
- person Gabriel Bernadett-Shapiro
- person Jer Crane
- person Joe Procopio
A surge in “vibe-coded” applications built with AI tools is exposing thousands of publicly accessible apps to security flaws, with researchers finding nearly 2,000 leaking sensitive data such as medical and financial records, according to a new report from cybersecurity firm Red Access [1]. The findings highlight the risks of a growing trend where individuals with little to no coding experience use AI to generate functional software. Bob Starr, a project manager in the tech sector, discovered his own vibe-coded website contained a hidden SQL injection risk months after it went live. “It was just a glaring oversight on my part. It was a complete blindspot in my state of learning this new technology and understanding it, and I’m sure there are others making the same mistake,” Starr said [1]. Security researchers at Red Access found roughly 5,000 publicly accessible apps built with popular vibe-coding tools that had no authentication, and close to 2,000 of those appeared to be leaking sensitive data [1]. In a separate incident, researchers at the security firm Wiz found the entire production database of a viral social network called Moltbook wide open, exposing tens of thousands of email addresses and private messages [1]. Gabriel Bernadett-Shapiro, a distinguished AI research scientist at SentinelOne, said the core issue is not that amateurs can build software. “That’s actually the good part,” he said [1]. The danger emerges when a personal app drifts into handling business data without the creator realizing the shift. “Those need to be held to a different standard. Even if it was built by one person in an afternoon. Even if the software creating the software was trivial. The moment that it touches other people’s personal data, then that’s when I think the standard changes,” Bernadett-Shapiro said [1]. The problem is compounded by the nature of AI coding tools. While models such as Anthropic’s Claude series are used in AI-assisted software development, their security features require explicit user invocation [2]. Claude Code has a /security-review command, but users must ask for it, and an automatic version only runs if configured in advance—a step most casual builders skip [1]. Jack Cable, CEO of Corridor, noted that security is contextual and warned against a false sense of safety from automated reviews. “If you’re not sure if something you’re doing is secure, better safe than sorry,” Cable said [1]. Bernadett-Shapiro said his biggest concern is not buggy code but a lack of authentication when an app transitions from a local machine to the cloud, leaving sensitive data exposed [1]. The nonprofit OWASP has published an AI security verification standard, and firms like Trail of Bits have released security-focused skill packs for coding agents, though these must be specifically triggered and can be difficult to keep updated [1]. Cable added that malicious skills also exist, citing a February finding by 1Password’s Jason Meller that the most downloaded skill on a popular registry directed users to install a malicious dependency [1]. For individuals, Cable’s guidance is straightforward: a model running locally is far less risky than one made public, especially if it contains sensitive data [1]. “Literally overnight, the way most companies produce software has changed completely,” Cable said, adding that there is reason for optimism if proper guardrails are in place [1].
commentarycontroversy
Background sources we checked (9)
- en.wikipedia.org ↗ Claude is a series of large language models developed by American software company Anthropic. Claude was released as an AI-based chatbot in March 2023. It is also used in AI-assisted software development. Claude is trained using "constitutional AI", a technique developed by Anthr…
- en.wikipedia.org ↗ X, formerly known as Twitter, is an American microblogging and social networking service, headquartered in Bastrop, Texas. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, images, and videos in shor…
- en.wikipedia.org ↗ Duolingo, Inc. is an American educational technology company that produces learning apps and provides language certification. Duolingo offers courses on 42 languages, ranging from English, French, and Spanish to less commonly studied languages such as Hawaiian, Māori, and Navajo,…
- en.wikipedia.org ↗ Charles Milles Manson (né Maddox; November 12, 1934 – November 19, 2017) was an American criminal, cult leader, and musician who was the founder of the Manson Family. He gained notoriety for ordering the Tate–LaBianca murders, where his followers murdered nine people around Los A…
- en.wikipedia.org ↗ Dragon Age: The Veilguard is a 2024 action role-playing game developed by BioWare and published by Electronic Arts (EA). It is the fourth major game in the Dragon Age franchise, and the sequel to Dragon Age: Inquisition (2014). The story follows a customizable player character ca…
- en.wikipedia.org ↗ Portland ( PORT-lənd) is the most populous city in the U.S. state of Oregon. Located in the Pacific Northwest at the confluence of the Willamette and Columbia rivers, it is the 28th-most populous city in the United States, sixth-most populous on the West Coast, and third-most pop…
- en.wikipedia.org ↗ The India–Middle East–Europe Economic Corridor (commonly abbreviated as IMEC or IMEEC) is a planned connectivity project that aims to bolster economic development by fostering connectivity and economic integration between Asia, the Persian Gulf and Europe. The economic corridor c…
- en.wikipedia.org ↗ Sir Jonathan Paul Ive (born 27 February 1967) is a British-American designer. He is best known for his work at Apple Inc., where he was senior vice-president of industrial design and chief design officer. Ive is the founder of LoveFrom, a creative collective that works with Ferra…
- en.wikipedia.org ↗ The Netzarim Corridor is an area in the Gaza Strip that has served as an Israeli zone of military occupation during the Gaza war. The corridor, which splits the Gaza Strip down the middle, is located just south of Gaza City and stretches from the Gaza–Israel border to the Mediter…
Sources
- theverge.com — Read this before you vibe-code another app ↗