Thousands of AI-Coded Apps Expose Corporate Data on Open Web
Original: Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web
Why This Matters
Highlights major security risks as AI coding tools democratize app development
Security researchers found over 5,000 web applications created using AI coding tools from Lovable, Replit, Base44, and Netlify with virtually no security protection, exposing sensitive corporate and personal data including medical information, financial records, and customer conversations to anyone with the URL.
RedAccess researchers analyzed thousands of applications built with AI development tools and discovered approximately 2,000 contained private data accessible to anyone online. The exposed information included hospital work assignments with doctor PII, company ad purchasing data, go-to-market strategies, customer chatbot logs with full names and contact details, shipping cargo records, and financial documents. Researchers easily found vulnerable apps by searching Google and Bing for the AI companies' domains where users host their applications. Around 40% of the analyzed apps exposed sensitive data, with many requiring no authentication or only trivial barriers like any email address sign-in. Some apps would have granted administrative privileges to unauthorized users. The researchers also discovered phishing sites impersonating major corporations like Bank of America, Costco, and McDonald's created using these AI tools.