Researchers find thousands of AI-built web apps exposed online

In short: Security researchers say many web apps made with “vibe coding” tools are being published with little or no protection, which can leave data open to anyone.

What's going on

Security researcher Dor Zvi and his team at cybersecurity firm RedAccess analyzed thousands of web apps built using AI coding services Lovable, Replit, Base44, and Netlify, according to Wired. These tools can help people create and publish a web app quickly, even if they are not trained programmers.

RedAccess says it found more than 5,000 apps with “virtually no security or authentication.” In plain terms, some apps could be opened by anyone who found the link, like a shared document with the privacy setting accidentally left on “anyone with the link.” Others used weak checks, like letting visitors sign in with any email address.

Zvi says around 40 percent of the exposed apps appeared to include sensitive information. Examples shown to Wired included what looked like hospital work assignments with personal details, financial and sales records, corporate presentations and strategy documents, shipping cargo records, and chatbot logs that included customer names and contact information. Wired says it reviewed some apps but could not confirm that the data was as sensitive or as real as it appeared.

The researchers said it was easy to find many of these apps because the services often host apps on their own domains. They used simple Google and Bing searches to locate them.

The companies pushed back on parts of the claims. Replit said public apps being accessible is expected if users choose public settings. Lovable and Base44 said they provide security controls, and that creators are responsible for how apps are configured.

What to watch

Expect more attention on default privacy settings and clearer warnings before an app goes public. Organizations may also tighten rules on who can publish internal tools and what data those tools can access.

Source: Wired