Back
Technology

Vibe-Coded Applications Introduce New Security Vulnerabilities

Generated on: Last updated: 1 sources
View source

The Hidden Security Risks of AI ‘Vibe Coding’

Overview

The rise of AI-assisted "vibe coding" has enabled non-developers to create custom applications, but experts warn that these apps often lack basic security protections. Multiple incidents have highlighted risks including database exposure, lack of authentication, and SQL injection vulnerabilities.

Key Incidents

Bob Starr launched "Boomberg," a site tracking US tax money to tech companies, using vibe coding. Months later, he discovered an SQL injection vulnerability that could have allowed unauthorized data access.

Jer Crane (PocketOS) reported an AI coding agent that deleted his company's production database.

Joe Procopio built a demo web app via vibe coding; hackers breached it, prompting him to discontinue it.

Matt Schlicht launched "Moltbook," a social network for AI agents built without writing code. Security firm Wiz found its production database exposed, leaking tens of thousands of email addresses and private messages. The issue was patched after disclosure.

Researchers from Red Access found approximately 5,000 publicly accessible vibe-coded apps with no authentication; about 2,000 appeared to leak sensitive data including medical and financial information.

Expert Statements

"The main concern is not amateur coding, but when personal apps transition to handling shared, hosted data without appropriate security standards."
— Gabriel Bernadett-Shapiro, SentinelOne

"Vibe coding is lower risk for prototypes or non-sensitive tools, but financial records and public internet-facing applications require greater scrutiny."
— Jack Cable, Corridor

Max Segall (Privy) built EzRun to reward his child with Ethereum; a colleague found a critical flaw allowing account modification before launch.

Security Recommendations

  • Use AI coding agents' built-in security commands (e.g., Claude Code's /security-review) proactively.
  • Run security reviews after each code change, especially when applications move from local to cloud environments.
  • Consider data sensitivity: apps handling personal, financial, or medical data should undergo professional security review.
  • Be aware that skills (add-on instruction packs) can be malicious; verify their integrity before use.

Industry Context

Vibe coding tools like Claude Code and OpenAI's Codex include optional security scanning features, but they are not automatically enabled for casual users. The OWASP organization has published an AI security verification standard, and firms like Trail of Bits offer security-focused skill packs.

Mitigation Example

Jeff Rothblum (Lilt) developed a lobbying tool using vibe coding. He regularly runs security reviews via Claude, keeps user data local, and plans to hire a security engineer if handling more sensitive information.

Conclusion

Security professionals advise that individuals building vibe-coded apps must consider threat models, explicitly prompt for security, and avoid exposing sensitive data without proper safeguards. The difference between a safe project and a security incident hinges on asking the right questions before deployment.