5,000 Vibe‑Coded Apps Lack Security, Exposing 40% of User Data

Context AI‑driven “vibe coding” lets users describe an app in plain language and receive ready‑to‑run code in minutes. Platforms such as Lovable, Replit, Base44 and Netlify market this as a shortcut for developers of any skill level. The promise of rapid delivery has outpaced basic security hygiene.

Key Facts - Researchers examined thousands of web apps built on the four major vibe‑coding platforms. 5,000 of them had virtually no security or authentication mechanisms. - Sensitive information—medical records, financial details, corporate documents and private chatbot logs—was publicly accessible in 40 % of the apps. - RedAccess co‑founder Dor Zvi warned that organizations are unintentionally leaking private data through these applications, calling it one of the largest exposures of corporate information. - Platform responses varied: Netlify offered no comment, while Lovable, Replit and Base44 shifted responsibility to developers, noting that secure configuration is the creator’s duty.

What It Means The findings reveal a systemic risk: AI‑generated code often omits fundamental security controls such as input validation, encryption and access controls. Because the apps can be deployed directly to production, they bypass traditional development lifecycles that include code review and penetration testing. The result is a growing attack surface where threat actors can harvest personal and corporate data with minimal effort.

Mitigations - Enforce authentication: Require multi‑factor authentication and role‑based access control for every deployed app, regardless of its origin. - Run static analysis: Integrate tools that scan generated code for known vulnerabilities (e.g., OWASP Top 10) before deployment. - Patch known CVEs: Apply updates for libraries flagged in the latest Common Vulnerabilities and Exposures database, especially those related to insecure deserialization (CVE‑2023‑XXXXX) and broken authentication (CVE‑2023‑YYYYY). - Implement runtime monitoring: Deploy Web Application Firewalls (WAF) that detect anomalous requests and block data exfiltration attempts. - Adopt secure defaults: Platform providers should ship templates with HTTPS, secure cookies and least‑privilege permissions enabled by default. - Conduct regular audits: Schedule quarterly security reviews of all vibe‑coded applications, treating them as high‑risk assets.

What to Watch Next Expect tighter regulatory scrutiny and possible industry standards for AI‑generated software, as lawmakers and security agencies respond to the expanding data‑leak landscape.