Thousands of Vibe-Coded Apps Expose Corporate and Personal Data On the Open Web
- Reference: 0183162342
- News link: https://yro.slashdot.org/story/26/05/08/1731257/thousands-of-vibe-coded-apps-expose-corporate-and-personal-data-on-the-open-web
- Source link:
> Security researcher Dor Zvi and his team at the cybersecurity firm he cofounded, RedAccess, analyzed thousands of vibe-coded web applications created using the AI software development tools Lovable, Replit, Base44, and Netlify and found [1]more than 5,000 of them that had virtually no security or authentication of any kind . Many of these web apps allowed anyone who merely finds their web URL to access the apps and their data. Others had only trivial barriers to that access, such as requiring that a visitor sign in with any email address. Around 40 percent of the apps exposed sensitive data, Zvi says, including medical information, financial data, corporate presentations, and strategy documents, as well as detailed logs of customer conversations with chatbots.
>
> "The end result is that organizations are actually leaking private data through vibe-coding applications," says Zvi. "This is one of the biggest events ever where people are exposing corporate or other sensitive information to anyone in the world." Zvi says RedAccess' scouring for vulnerable web apps was surprisingly easy. Lovable, Replit, Base44, and Netlify all allow users to host their web apps on those AI companies' own domains, rather than the users'. So the researchers used straightforward Google and Bing searches for those AI companies' domains combined with other search terms to identify thousands of apps that had been vibe coded with the companies' tools.
>
> Of the 5,000 AI-coded apps that Zvi says were left publicly accessible to anyone who simply typed their URLs into a browser, he found close to 2,000 that, upon closer inspection, seemed to reveal private data: Screenshots of web apps he shared with WIRED -- several of which WIRED verified were still online and exposed -- showed what appeared to be a hospital's work assignments with the personally identifiable information of doctors, a company's detailed ad purchasing information, what appeared to be another firm's go-to-market strategy presentation, a retailer's full logs of its chatbot's conversations with customers, including the customers' full names and contact information, a shipping firm's cargo records, and assorted sales and financial records from a variety of other companies. In some cases, Zvi says, he found that the exposed apps would have allowed him to gain administrative privileges over systems and even remove other administrators. In the case of Lovable, Zvi says he also found numerous examples of phishing sites that impersonated major corporations, including Bank of America, Costco, FedEx, Trader Joe's, and McDonald's, that appeared to have been created with the AI coding tool and hosted on Lovable's domain.
"Anyone from your company at any moment can generate an app, and this is not going through any development cycle or any security check," Zvi says. "People can just start using it in production without asking anyone. And they do."
[1] https://www.wired.com/story/thousands-of-vibe-coded-apps-expose-corporate-and-personal-data-on-the-open-web/
Not a vibe-coding problem (Score:5, Insightful)
This problem is not from vibe-coding. It is from a lack of design.
Real developers spend more time designing their programs than they spend coding them. For a reason.
Re: (Score:1)
Old way for a small task an entry-level person could do in 2 weeks solo: a week to design, a few days to code, a few days to unit test
New way - "official/what you tell your boss": a few hours to design/decide what you want the output to look like and rough-draft your prompts a hours to "code"/prompt the AI, including iterations, and a few hours to test the results.
New way - "reality/what you actually do": design? what's that? a few hours to iteratively create prompts until you get output that "feels good,
sarcasm aside (Score:1)
There IS a place for AI as a coding assistant. If used right by someone who COULD write good code from scratch AND who is well-versed in using his AI tools, it could actually save time.
In very limited problem domains, non-AI program-generators and LLM-"AI" program-generators can actually produce usable, correct, reasonably efficient code almost all of the time. But so could a reasonably competent programmer who was an expert in the problem domain.
In any case, using AI is likely to use a lot of electricity
Re: (Score:2)
There is a LOT of conditionals in your statement. You may want to revise it.
Re: (Score:3)
Which is also why "AI" coding assistants are worth far less than generally claimed.
Vibe coding isn't done by real developers (Score:3)
It's done by whatever schlub worked for the cheapest on weekends in between other work.
The goal of vibe coating, or realistically letting generative AI build software for you out of stolen assets, is to not have to pay somebody who can actually write applications properly.
So it's going to be slap dash. As the saying goes, fast, cheap, good pick two. Or in the case of genai I guess you get cheap at least. For now anyway.
Vibe coding was never for production code (Score:2)
According to the person who coined the phrase, vibe coding was never for production code. It was for disposable code.
Re:Vibe coding was never for production code (Score:5, Insightful)
Problem for everyone is that mindset does not save cost/produce value.
Even when part of the AI companies try to show utility honestly, they get drowned out by their own executives bulldozing the nuance aside and pretending it is just a magical replacement for software developers.
Re: (Score:2)
Obviously. But never underestimate the incompetence of stupid people that on top lack a technological education when they think they can do tech and who needs engineers anyways. The Darvin Awards, for example, document quite a few impressive respective fails.
vibe coding (Score:2)
Well if you let the robots code and dont have people with enough smarts to review, test, validate the code then your going to get this... AI needs oversight, controls and discipline just like your Human coders.
AI Governance (Score:2)
If a company allows staff to code/vibe code etc without proper governance and controls then it's on them.
Is there a policy? Are there controls? Is there governance?
Imagine every staff with access to AI has become a junior coder. They know nothing about SSDLC, SCA, SAST, DAST, MAST etc.
Dear non-technical exec, tell us what are the guard rails in place right now to prevent me from using AI to create a shitty app that's a security nightmare?
It's OK. I didn't think you knew. It's fine. No need to worry.
Visual basic 6 all over (Score:3)
History is repeating, it's like vb6 all over again, but even worse/easier.
Such a surprise (Score:2)
Non-coders with crappy tools produce insecure code. News at 11:00....
Seriously, what the hell? Are people really this dumb? Well, I guess they are.
Re: (Score:2)
Indeed, same as general survival. Getting-rich-quick is far more important. Tomorrow? Who cares!
Re: (Score:2)
Now there will be a bunch of vibe coders that think adding "but make it secure" to the prompt fixes the issues...