Vibe coding, which lets users without technical skills create software applications with AI, has exploded in popularity, enabling non-devs to churn out apps in mere hours. But if you were thinking of turning to vibe coding to build a web app, cybersecurity firm RedAccess has some unsettling findings about potential security vulnerabilities.
In research first shared with Wired, a team led by security researcher Dor Zvi identified 5,000 vibe-coded web applications created using the AI software development tools Lovable, Replit, Base44, and Netlify that had “virtually no security or authentication of any kind.” RedAccess claims that in some cases, anyone who found the correct web URL could access the apps and their data. Meanwhile, other vibe-coded web apps had “only trivial barriers” to accessing app data—for example, signing in with “any email address.”
Zvi added that in 40% of cases, the apps exposed sensitive information, including hospital work assignments containing doctors’ personally identifiable information, a firm’s go-to-market strategy presentation, and sales and financial records from a variety of companies.
Joel Margolis, a security researcher, outlined some of the issues involved in democratizing access to app development. “Somebody from a marketing team wants to create a website. They’re not an engineer, and they probably have little to no security background or knowledge,” he told Wired, adding that unless these tools are asked to create secure applications, “they’re not going to go out of their way to do that.”
Many of the companies featured in the research have expressed objections. For example, Blake Brodie, a spokesperson for Wix, the owner of Base44, told Axios that RedAccess “deliberately withheld the URLs that would have allowed us to identify and examine the applications in question.” In addition, he said the applications that were reportedly exposed had been “deliberately set to public by their owners.” Brodie also told Wired that two examples of Base44-produced websites it was shown appeared to be test sites or contained AI-generated data.
Recommended by Our Editors
Meanwhile, Samyutha Reddy, a spokesperson for Lovable, told Axios that RedAccess’s research did not “include any URLs or technical specifics that would allow us to verify, investigate, or act on the findings described,” though the company said it was investigating the incident.
About Our Expert
Experience
I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.
I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.
Read Full Bio
&w=1024&resize=1024,1024&ssl=1 "Marketing estratégico e inteligência artificial: a nova fronteira da competitividade")
&w=1024&resize=1024,1024&ssl=1 "Quanto vai custar GTA 6? Segundo ex-Rockstar, sequência terá preço padrão e não será adiada novamente")
