•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cybersecurity experts cited by Wired warn that as AI tools increasingly automate software development, they can also accelerate the introduction of new security weaknesses. The concern is heightened by “vibe-coding” platforms that let users generate and deploy web applications with minimal effort, often resulting in inadequate security controls—even when apps handle sensitive personal and business data.
Researcher Dor Zvi and his team at RedAccess analyzed thousands of applications created using Lovable, Replit, Base44, and Netlify. They reported finding more than 5,000 apps that lacked form-level security or authentication.
Among the roughly 5,000 publicly accessible apps, Zvi said nearly 2,000 showed serious privacy leakage after closer review. He added that identifying such exposed applications was straightforward, describing how the platforms often host apps directly on their own domains.
According to RedAccess, the researchers used Google or Bing to scan provider domains combined with common search terms to locate large numbers of apps. Wired reported verifying multiple pieces of evidence that remained available online.
Wired described screenshots and other evidence showing sensitive information accessible through vibe-coding apps. Reported examples included:
Zvi also said that in some cases, leaked apps provided enough access for him to seize control of system administration and revoke other administrators’ privileges.
In addition to privacy exposure, Zvi said he found many fraudulent sites impersonating major corporations on Lovable’s platform domain. He cited examples including Bank of America, Costco, FedEx, Trader Joe’s, and McDonald’s.
When Wired contacted the companies, Netlify did not respond. Three other companies pushed back, saying RedAccess did not provide enough data or time for them to respond. However, those companies did not deny that the exposed apps RedAccess identified were publicly accessible on the internet.
Amjad Masad, CEO of Replit, said on X that users can choose whether an app is public or private, adding that public accessibility is the default behavior and can be changed with one click.
Lovable’s representative said the company takes reports of data leakage and fraud seriously, stating that Lovable provides tools to build safe apps while the final app configuration is the creator’s responsibility.
Britt Brodie, head of PR at Wix (parent company of Base44), said Base44 provides tools for users to configure security and access controls. She added that disabling protections is a deliberate user action and that if an app is public, it is due to user configuration rather than a platform flaw.
Margolis argued that it is easy to create apps containing fake data and that, without verified examples, it can be difficult to assess claims. He also noted that verifying whether leaked information is authentic can be challenging because data may be drafts or test samples.
Despite these concerns, RedAccess said it contacted dozens of app owners, who confirmed data leakage. Wired reported that many users thanked the researchers and removed the app after being alerted.
RedAccess’s researchers said the core issue is that users can create and deploy apps without going through development or security testing cycles. Zvi concluded that anyone can deploy into production immediately without consulting others, contributing to the risk of sensitive data being exposed.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
