AI-built apps are raising new security alarms
Security experts warn that vibe-coded apps can expose data when quick prototypes move online without authentication, reviews or threat modeling.
By James Whitfield · Staff Writer
4 min read
AI coding tools have made it easier for nondevelopers and small teams to put working apps online, but security researchers and founders told The Verge that many of those projects are reaching the public web before basic defenses are in place. The concern grows when personal experiments start handling customer records, financial information, medical data or internal business documents.
The Verge reported that Bob Starr, a tech-sector project manager, launched Boomberg, a site showing how U.S. tax money flows to tech companies, soon after building it with AI assistance. Months later, Starr found a hidden SQL injection risk that could have allowed an attacker to view or change data they should not have been able to access, according to the report.
Starr fixed the flaw, but The Verge cited other public examples of AI-built software going wrong. Jer Crane, founder of PocketOS, wrote on X that an AI coding agent wiped his company’s production database. Entrepreneur Joe Procopio wrote that he took down a vibe-coded demo app after hackers targeted it.
Personal tools can become public risks
Gabriel Bernadett-Shapiro, a distinguished AI research scientist at SentinelOne, told The Verge that amateur software creation is not the problem by itself. He said the danger comes when a local or personal tool becomes hosted software that stores shared data, especially when the builder does not recognize that the security stakes have changed.
Jack Cable, CEO and cofounder of Corridor, told The Verge that AI-assisted coding is more suitable for lower-risk uses such as prototypes. He said anything exposed to the public internet, or anything holding sensitive data, needs closer review and a clear understanding of who might attack it and what data could be exposed.
The Verge also reported on Max Segall, chief operating officer at crypto wallet company Privy, who built EzRun to reward his child with $10 in Ethereum after runs. A colleague found a critical flaw before launch that would have allowed anyone to alter user accounts and gain access, according to the report.
Researchers have found exposed data
In January, developer Matt Schlicht launched Moltbook, a social network built for AI agents, and said on X that he had not written any of the code himself. Security firm Wiz later said it found Moltbook’s production database exposed, including tens of thousands of email addresses and private messages; The Verge reported that Moltbook patched the issue after being notified.
Wired reported that researchers at Red Access found about 5,000 publicly reachable apps built with popular vibe-coding tools that lacked authentication. Close to 2,000 appeared to expose sensitive information, including medical and financial data, strategy documents and chatbot conversation logs, according to Wired.
The Verge noted that professional software built before the AI coding boom can also be insecure. But experts told the publication that AI tools increase the volume of software being produced and can create false confidence when a model says code is safe.
Security checks still need human direction
The Verge reported that Claude Code has a security-review command, but users must request it unless they have set up automated reviews in advance. OpenAI’s Codex includes Codex Security, which scans commits and proposed patches, but The Verge said that workflow is aimed more at developers using version control than at casual builders creating apps through chat.
Cable told The Verge that automated security reviews can help, but they may miss problems if the coding agent lacks context about the app’s risks. Bernadett-Shapiro said his main worry is not only flawed generated code, but missing authentication when users move local projects to the cloud with settings they do not understand.
Some tools are emerging. The Verge pointed to OWASP’s AI security verification standard and Trail of Bits “skills” that direct coding agents to look for issues such as weak defaults or hardcoded passwords. The report also cited 1Password’s Jason Meller, who found that a widely downloaded OpenClaw skill directed users to install a malicious dependency.
For individuals, the advice from experts cited by The Verge is to identify what data an app stores, what accounts it can reach and what could go wrong before putting it online. They also recommend asking AI tools to build with security in mind, running reviews after changes and seeking expert review before handling sensitive data.
This story draws on original reporting from The Verge.