Security Research

    Vibe Hacking

    Vibe coding lets anyone build apps in minutes. Vibe hacking is the other side: exploiting those apps is just as fast. Here are the real attack vectors we see used against AI-generated applications.

    Why vibe-coded apps are easy targets

    AI coding tools generate predictable patterns. Once you have seen one Lovable app, you have seen them all. The same Supabase key exposure, the same missing RLS, the same client-side auth. Attackers know these patterns and scan for them at scale.

    Common Attack Vectors

    Exposed Supabase/Firebase Keys

    Trivial

    View page source, grab the anon key, and query the database directly. Most vibe-coded apps have no Row-Level Security policies, so every table is readable.

    How it works

    1. 1.Open browser DevTools on any page
    2. 2.Search for "supabase" or "firebase" in the source
    3. 3.Use the public API key to query the database directly
    4. 4.Read, modify, or delete any data without authentication

    Client-Side Auth Bypass

    Easy

    AI tools generate auth guards in React components but skip server-side checks. Delete the guard in DevTools and access any protected route.

    How it works

    1. 1.Navigate to a protected page and observe the redirect
    2. 2.Open DevTools and modify the auth state in localStorage/context
    3. 3.Or call the API endpoint directly without auth headers
    4. 4.Access admin panels, user data, and payment information

    API Endpoint Enumeration

    Easy

    AI-generated APIs follow predictable naming patterns. Guess /api/users, /api/admin, /api/payments and find unprotected endpoints.

    How it works

    1. 1.Check network tab for API calls during normal usage
    2. 2.Try common endpoint names: /api/users, /api/orders, /api/config
    3. 3.Most endpoints return data without authentication
    4. 4.Access other users' data by changing ID parameters

    IDOR Exploitation

    Easy

    Sequential IDs in URLs let anyone access other users' resources. Change /api/users/1 to /api/users/2 and read their profile.

    How it works

    1. 1.Find any URL or API call with a numeric or predictable ID
    2. 2.Increment or decrement the ID
    3. 3.Observe that the server returns another user's data
    4. 4.Automate to extract all user records

    Payment Flow Manipulation

    Medium

    Vibe-coded payment flows often validate on the client. Intercept the request to change the price, skip the payment step, or replay a successful transaction.

    How it works

    1. 1.Start a checkout flow and intercept the API request
    2. 2.Modify the price field or remove payment verification
    3. 3.Submit the modified request
    4. 4.Receive the product or service without paying

    Dependency Confusion Attack

    Medium

    AI hallucinates package names that do not exist. Register that name on npm with malicious code and wait for the developer to install it.

    How it works

    1. 1.Find AI-suggested packages that do not exist on npm
    2. 2.Register the package name with a payload
    3. 3.When the developer runs npm install, your code executes
    4. 4.Exfiltrate environment variables, secrets, and tokens

    Tools most targeted by vibe hackers

    Lovable

    Full Supabase stack exposed in every app. Public anon keys + no RLS = open database.

    Bolt.new

    Deploys instantly with secrets in environment. No security review step in the workflow.

    Replit

    Public repos by default. Secrets in .env files that get forked and exposed.

    v0

    Frontend-only auth patterns. Server components with client-side security assumptions.

    How to defend against vibe hacking

    Scan before you ship

    Run an automated security scan on every deployment. Catch exposed keys, missing auth, and open endpoints before attackers do.

    Enable Row-Level Security

    If you use Supabase or Firebase, configure RLS policies for every table. Your anon key will always be public. RLS is what protects the data.

    Add server-side auth

    Never trust client-side auth alone. Validate tokens and permissions on every API endpoint, not just in React components.

    Audit your dependencies

    Check that every npm package the AI suggested actually exists and is maintained. Remove packages you do not need.

    Test your payment flow

    Try to bypass your own checkout. Modify prices, skip steps, replay transactions. If you can do it, attackers will.

    Related Resources

    Vibe Coding Security Risks

    Complete list of 24 risk categories in AI-generated apps

    Common Security Flaws

    Code examples of each vulnerability with secure alternatives

    Penetration Testing Guide

    How to test your own app like an attacker would

    Token Leak Checker

    Check if your API keys and tokens are exposed

    Test your app before hackers do

    VibeEval runs the same checks attackers use -- exposed keys, missing auth, open endpoints, IDOR vulnerabilities -- and shows you exactly what to fix.

    Run a free security scan