Vibe-Coded Web Apps Are Leaking Sensitive Data, RedAccess Finds
RedAccess found more than 5,000 vibe-coded web apps exposing sensitive corporate and personal data through weak authentication, WIRED reports.
Thousands of AI-built web apps appear to be sitting on the open internet with little or no access control, according to WIRED. Security researcher Dor Zvi and his team at RedAccess told WIRED they found more than 5,000 vibe-coded apps created with Lovable, Replit, Base44 and Netlify tools that were reachable by anyone who knew, or could find, the URL.
The issue is less a classic software bug than a missing gate. Zvi told WIRED that many of the apps had no authentication at all, while others used weak barriers such as accepting any email address at sign-in. RedAccess estimated that about 40 percent of the exposed apps contained sensitive material, including medical information, financial data, corporate presentations, strategy documents and chatbot conversation logs, according to WIRED.
A familiar cloud-security problem, now accelerated by AI
RedAccess found the apps by searching the public domains used by AI app builders, Zvi told WIRED. WIRED said it reviewed screenshots shared by the researchers and verified that several exposed apps were still online, including examples that appeared to show doctors' personally identifiable information, ad-buying details, go-to-market documents, customer chatbot logs, cargo records and sales or financial records.
The researchers also found Lovable-hosted phishing sites impersonating brands including Bank of America, Costco, FedEx, Trader Joe's and McDonald's, according to WIRED. Zvi told WIRED that RedAccess contacted several dozen apparent app owners, and some confirmed their data had been exposed. WIRED also reported seeing anonymized communications in which Base44 users thanked the researchers after exposed apps were secured or taken offline.
The companies pushed back on parts of the report. Replit CEO Amjad Masad wrote on X, quoted by WIRED, that public apps being accessible online is expected behavior and that users can change privacy settings. Lovable told WIRED it takes exposed-data and phishing reports seriously, while Wix, Base44's parent company, said Base44 gives users access controls and visibility settings. Netlify did not respond to WIRED's request, according to the report.
The harder question is who catches these mistakes before they become production systems. Security researcher Joel Margolis told WIRED that non-engineers using AI coding tools may not know to ask for secure defaults. Zvi compared the pattern to the earlier wave of exposed Amazon S3 buckets, but with a new twist: AI tools let employees ship web apps outside normal development and security review. That's the real warning. Vibe coding doesn't just make software faster to create; it makes shadow software faster to leak.
Photo by Julio Lopez on Unsplash
