The rise of “vibe coding” has been a revolution. It lets anyone, anyone, from marketers to founders to interns, describe an app in plain English and have AI build it in minutes. However, recent research suggests that this newfound speed comes with a high price. It seems that the vibe-coding boom also brought a massive growth in security vulnerabilities.
The dark side of vibe coding: Instant apps are leading to more security vulnerabilities
Cybersecurity firm RedAccess recently shared some alarming findings, Wired reports. Their team identified roughly 5,000 web applications created with popular AI tools like Lovable, Replit, and Netlify that had almost no security. In many cases, these apps were indexed by Google, meaning anyone with a search bar could stumble upon sensitive corporate information.
The exposed data isn’t just placeholder text. Researchers found hospital work assignments, go-to-market strategies, sales records, and even patient conversations.
Vibe coding tools allow people without technical backgrounds to publish software. So, basic concepts like “authentication” or “private access” are often completely overlooked.
A clash of perspectives
The companies behind these AI platforms have pushed back. Replit and Wix (owners of Base44) argue that if an app is public, it’s because the user chose that setting. They maintain that a public URL is not a “breach” but expected behavior for a tool designed to share content.
While that is technically true, security experts argue that the problem is structural. When a tool is marketed to non-engineers, the “default” settings become the security model. If the default is “public,” a user who doesn’t understand web architecture will unintentionally leave the virtual door wide open.
The rise of “Shadow AI”
This phenomenon is a new form of “Shadow IT.” Employees are using AI to spin up lead trackers, customer portals, or reporting pages to save time. These tools work well enough to become unofficial production systems, yet they never undergo a security review. What starts as a quick experiment ends up housing real customer data or internal financial records on the open web.
Vibe coding isn’t going away—the efficiency is too high to ignore. However, the next phase in AI development needs to prioritize safety over sheer speed. Experts suggest AI platforms should be “private by default” and have clear warnings when an app is accessing sensitive data sources.
The potential of vibe coding is tremendous. But before moving an AI-built prototype into the real world, a quick check on who can actually see that data should be mandatory.
The post Vibe Coding Rise is Fueling a Surge in Security Vulnerabilities, Study Finds appeared first on Android Headlines.
