Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web

Security researcher Dor Zvi and his team at RedAccess analyzed thousands of web applications created using AI software development tools such as Lovable, Replit, Base44, and Netlify. They found over 5,000 apps that had virtually no security or authentication, exposing sensitive data including medical records, financial information, corporate presentations, and detailed customer interactions with chatbots.

Key Takeaways

  • The analysis revealed a significant vulnerability in the way AI coding tools make it easy for anyone to create applications without any security measures.
  • Many of these apps were left publicly accessible, allowing unauthorized access to sensitive data.
  • A few companies like Netlify did not respond, while others like Replit and Base44 defended their practices but admitted the apps had been exposed.
  • The exposure highlights a broader issue where AI coding tools democratize app creation without ensuring security is part of the process.
  • Verification of real data exposure remains challenging due to placeholders or proof-of-concept scenarios, making it hard to determine if sensitive information was truly compromised.