Study finds security gaps in thousands of vibe-coded apps

An investigation by cybersecurity firm RedAccess has found that thousands of web applications created with artificial intelligence (AI) code-generation tools (vibe-coding) have exposed sensitive corporate and personal data on the open web. Researchers analysed apps built with platforms including Lovable, Replit, Base44, and Netlify, identifying over 5,000 instances where software lacked basic security or authentication. Approximately 40% of these applications leaked private information, such as medical records, financial data, corporate strategy documents, and customer chatbot logs.

These vibe-coded tools allow users to generate and host applications instantly. However, many were found to be accessible to anyone with a URL or required only a simple email sign-in. In addition, the study discovered numerous phishing sites impersonating major global brands hosted on these platforms. While the AI companies involved questioned the research timeline and specific findings, they did not deny that the identified applications were left exposed. The findings suggest that the rise of vibe-coding tools has led to a significant increase in security vulnerabilities, resulting in one of the largest collective exposures of sensitive information to date.

Training Announcement: The BCS Foundation Certificate in Information Security Management Principles (CISMP) is an entry-level programme aligned with ISO/IEC 27001 and Cyber Essentials that examines the fundamental concepts, technologies and principles of information security management. It provides attendees with practical knowledge of key concepts and techniques in risk management, security operations, and technical, physical, and environmental security. In addition, CISMP addresses legal and regulatory requirements, business continuity and disaster recovery planning, and emerging technologies. Find out more.