Vibe-Coding: Convenient but Risky – Security Experts Warn of Vulnerabilities
AI-powered app creation is booming, but many such apps lack basic security, exposing sensitive data and leaving them open to attacks.
Vibe-coding, the practice of using AI tools to generate software with little to no manual coding, is gaining popularity, but security experts warn it comes with significant risks.
In one case, project manager Bob Starr used vibe-coding to create a website called "Boomberg." Months after launch, he discovered it had an SQL injection vulnerability that could have allowed attackers to read or alter data. Similarly, Jer Crane reported on X that an AI coding agent wiped out his company's production database, while Joe Procopio had to take down a vibe-coded demo app after hackers targeted it.
Gabriel Bernadett-Shapiro, distinguished AI research scientist at SentinelOne, notes that vibe-coding itself isn't bad—it empowers amateurs to build useful software. However, the danger arises when such apps, originally personal, start handling other people's data (medical, financial, etc.) without proper security measures.
Research by cybersecurity firm Red Access, reported by Wired, found roughly 5,000 publicly accessible vibe-coded apps with no authentication, of which nearly 2,000 were leaking sensitive data, including medical and financial records. Another example is Moltbook, a viral AI-built social network, whose production database was left exposed, leaking tens of thousands of email addresses and private messages.
While AI coding tools like Claude Code and OpenAI's Codex offer security scanning features, they require manual activation—users must specifically prompt them. Experts advise thinking carefully about the data an app will store and possible threats before starting to vibe-code, and to run regular security reviews.
Some developers are already taking precautions. Jeff Rothblum, who built a vibe-coded app for lobbying data entry, keeps user data local, runs regular security reviews, and plans to hire a human security engineer if he handles more sensitive data.
Jack Cable, CEO of security platform Corridor, emphasizes that vibe-coding is fine for low-risk projects like prototypes or personal trackers, but any app that handles sensitive data or is public on the internet needs more scrutiny. He warns that with code increasingly being shipped without human review, establishing guardrails now is crucial.
