Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web

submitted by

https://www.wired.com/story/thousands-of-vibe-coded-apps-expose-corporate-and-personal-data-on-the-open-web/https://www.wired.com/story/thousands-of-vibe-coded-apps-expose-corporate-and-personal-data-on-the-open-web/

20
84

Log in to comment

Hot Top New Old

Others had only trivial barriers to that access, such as requiring that a visitor sign in with any email address

my company made one of these AI apps, and when I signed up I realized there was no email verification.

so, I made a fake user, with fake credentials, and an email that doesn’t even exist, and it worked. oh, and it has default editing permissions, so I was able to change data in it.

it won’t allow the use of an email outside of the company domain, but here’s the kicker: there’s a pop-up notification that tells you what domain to use.

it’s been 3 weeks, and it hasn’t been deleted yet.

 reply
13

Fml people are so stupid. Claude tells you all these things you basically have to force it to make something so inanely insecure

 reply
2

Oh wait they’re talking about the vibecode platforms i think those are harnesses really, in which case yeah shame on the companies selling these insecure harnesses

 reply
1
edited

Hmm

Wix, wrote in a statement that “Base44 provides users with robust tools to configure their own applications’ security, including access controls and visibility settings.” She added that “disabling those controls is a deliberate, straightforward action, any user can do it

Yeah, people are stupid so i believe this

 reply
1
edited

Archived version?

Edit: asking in part because Wired always gives me the “you’re out of free articles!” message, but also this link throws a 403 at the mo.

 reply
4

Someone posted a fixed link and it opens just fine in a browser with good ad blocking.

 reply
3

Thanks. I must have Saturday morning brain!

 reply
2
ಠ_ಠ

malpraxis

 reply
1
Insert image