5,000 Vibe-Coded Apps Highlight the Shadow AI Challenge
Recent findings by RedAccess have spotlighted a significant yet often overlooked vulnerability within enterprise software development practices: the proliferation of “vibe-coded” applications that default to public access, creating grave security risks. The surge in these applications arises from accessible no-code platforms like Lovable and Replit, which have democratized app creation for non-technical users. While this democratization bears many benefits, it inadvertently exposes organizations to serious data breaches, revealing a gap in current security strategies.
Shocking Scale of Exposure
In a meticulous examination, RedAccess identified approximately 380,000 publicly accessible assets, including apps and databases, linked to vibe coding platforms. Alarmingly, around 5,000 of these sites—1.3%—were discovered to contain sensitive corporate data. This data exposure isn’t just a theoretical concern. RedAccess's CEO, Dor Zvi, emphasized the urgency of the issue, noting that his team's analysis aimed to address shadow AI impacts on customers. Phishing sites impersonating recognizable companies such as Bank of America and McDonald's were also found, illustrating how these platforms can be manipulated for malicious purposes.
Privacy Settings at Fault
The crux of the problem lies in the default settings of many vibe coding platforms, where applications are accessible to anyone unless manually set to private. This poor configuration leads to sensitive information inadvertently becoming indexed by search engines, making it available to any user with minimal effort. Zvi succinctly pointed out the fundamental challenges here, stating, "I don’t think it’s feasible to educate the whole world around security," highlighting the difficulty of ensuring that non-technical users adopt appropriate security measures.
Historical Context of Vulnerabilities
This isn't the first alarm raised regarding the security of vibe-coded applications. Earlier research by Escape.tech revealed serious vulnerabilities in a sample of vibe-coded applications, uncovering over 2,000 high-impact threats. Their findings included the exposure of 175 instances of personal data, such as medical records and bank account information. This past scrutiny underlines a recurring theme: citizen developers often overlook security protocols in their eagerness to deploy quickly.
The Shadow AI Effect
RedAccess’s data feeds into a broader concern regarding shadow AI—a term that encapsulates the unauthorized use of AI tools within enterprises. The IBM Cost of a Data Breach Report highlighted that 20% of organizations reported breaches linked to shadow AI, resulting in a surge in breach-related costs. Moreover, 97% of those organizations didn’t have adequate access controls, pointing to a worrying trend of neglect regarding security governance in the era of rapid technological adoption.
Essential Steps for Security Teams
With the risk landscape intensifying, what can security leaders do? The vulnerabilities identified by RedAccess highlight the urgent need for a robust audit framework that targets vibe-coded applications across five essential domains: discovery, authentication, code scanning, data loss prevention, and governance. This framework aims to provide quick wins for organizations concerned about their exposure to these easily deployed applications.
Domain |
Current State (Most Orgs) |
Target State |
First Action |
Discovery |
No visibility into vibe-coded apps |
Automated scanning of vibe coding platform domains |
Run DNS + certificate transparency scan for Lovable, Replit, Base44, and Netlify subdomains tied to corporate assets |
Authentication |
Platform defaults (public by default) |
SSO/SAML integration required before deployment |
Block unauthenticated apps from accessing internal data sources |
Code scanning |
Zero coverage for citizen-built apps |
Mandatory SAST/DAST before production |
Extend the existing AppSec pipeline to cover vibe-coded deployments |
Data loss prevention |
No DLP coverage for vibe coding domains |
DLP policies covering Lovable, Replit, Base44, Netlify |
Add vibe coding platform domains to existing DLP rules |
Governance |
No AI usage policy or shadow AI detection |
AI governance policy with regular audits for unsanctioned tools |
Publish an acceptable-use policy for AI coding tools with a pre-deployment review gate |
The Need for Structural Change
The findings by RedAccess are a wake-up call for security teams across the board. As enterprises embrace citizen development, the lack of oversight and governance becomes a day-to-day concern, opening the door to significant vulnerabilities. The detection challenge extends beyond traditional security paradigms, as these vibe-coded apps often escape the radar of established inventory and security monitoring systems. Conventional asset discovery methods weren’t designed for this new wave of rapid-deployment applications.
Industry Responses Highlight Concerns
The responses from vibe coding platforms have been telling, with CEOs like Replit’s Amjad Masad noting the urgency of addressing the vulnerabilities as they come to light. However, skepticism remains regarding the accountability of these platforms. They often shift the burden of security onto users, many of whom lack the expertise to ensure their applications are secure. As observed in previous incidents, such as Base44’s vulnerabilities, the platforms’ assumptions about the capabilities of their users could exacerbate already prevalent risks.
Looking Ahead: Adapting to New Realities
The RedAccess report serves as a crucial reminder that the security landscape is redrawn by emerging technologies. As vibe coding and citizen-developed applications proliferate, a paradigm shift in security awareness and practices is essential. Security teams must not only understand the tools being used but also actively monitor what gets created and deployed within their organizations. Failure to act promptly could mean that these vulnerabilities remain hidden until it’s too late. Organizations that begin to audit and understand their vibe-coded applications today will avoid finding themselves in tomorrow’s headlines—armed with knowledge, they can pivot from a reactive to a proactive security stance.