This is an illustrative scenario. Names, details, and quotes are fictional.
How A Property Listing Marketplace secured their marketplace
Two-person team found tenant documents stored in public S3 buckets in a Replit-built app
The challenge
A two-person team built a property listing marketplace with Replit that connected landlords with tenants. The platform stored lease agreements, tenant applications with SSNs, and bank details for rent payments. The app managed 300 properties and was growing through landlord referrals. When a prospective investor asked about security practices during due diligence, the co-founders realized they had never checked whether their file storage was actually private.
Vulnerabilities discovered
VibeEval found 13 security issues across this marketplace application.
Document Storage in Public S3 Bucket
Payment Information Exposure
Cross-Tenant Data Leakage
Insecure Direct Object Reference
Missing Encryption for Stored Documents
Weak Password Reset Flow
Cross-Site Request Forgery
Missing Rate Limiting
Insecure Cookie Settings
Information Disclosure in Error Pages
Missing Security Headers
The solution
VibeEval confirmed that lease documents and tenant applications were stored in a public S3 bucket with predictable URLs. Anyone who guessed or enumerated the URL pattern could download SSNs, bank statements, and lease agreements. The team moved all documents to private storage with signed URLs, fixed the tenant isolation bug, and passed the investor due diligence.
"We store SSNs, bank details, and lease agreements for hundreds of tenants. VibeEval showed us those documents were in a public S3 bucket. We fixed it that night. The investor funded us a month later."
Frequently asked questions
How were tenant documents publicly accessible?
Lease documents and tenant applications were uploaded to an S3 bucket with public read permissions. File URLs followed a predictable pattern using the property ID and document type, so anyone could enumerate and download sensitive documents without authentication.
What financial data was exposed?
The payment information endpoint returned full bank account numbers and routing numbers for tenants with ACH payments set up. This data was included in API responses even when the requesting user only needed to see payment status.
How did the security fix help with investor due diligence?
The team shared the VibeEval scan report showing the before and after. The investor specifically noted that proactive security testing and a documented remediation process gave them confidence in the team's engineering maturity.
How does VibeEval handle multi-tenant property apps?
VibeEval traces data access patterns to verify that tenant and property scoping is enforced consistently. It checks that every database query, API endpoint, and file access operation properly filters data based on the authenticated user's permissions.
Get similar results for your application
Start scanning your application for vulnerabilities today. Free trial available.