VIBE HACKING: HOW ATTACKERS EXPLOIT AI-GENERATED APPS | VIBEEVAL

Why vibe-coded apps are easy targets

AI coding tools generate predictable patterns. Once you have seen one Lovable app, you have seen them all. The same Supabase key exposure, the same missing RLS, the same client-side auth. Attackers know these patterns and scan for them at scale.

Common Attack Vectors

Exposed Supabase/Firebase Keys

View page source, grab the anon key, and query the database directly. Most vibe-coded apps have no Row-Level Security policies, so every table is readable.

How it works

1. 1.Open browser DevTools on any page
2. 2.Search for “supabase” or “firebase” in the source
3. 3.Use the public API key to query the database directly
4. 4.Read, modify, or delete any data without authentication

Client-Side Auth Bypass

AI tools generate auth guards in React components but skip server-side checks. Delete the guard in DevTools and access any protected route.

How it works

1. 1.Navigate to a protected page and observe the redirect
2. 2.Open DevTools and modify the auth state in localStorage/context
3. 3.Or call the API endpoint directly without auth headers
4. 4.Access admin panels, user data, and payment information

API Endpoint Enumeration

AI-generated APIs follow predictable naming patterns. Guess /api/users, /api/admin, /api/payments and find unprotected endpoints.

How it works

1. 1.Check network tab for API calls during normal usage
2. 2.Try common endpoint names: /api/users, /api/orders, /api/config
3. 3.Most endpoints return data without authentication
4. 4.Access other users’ data by changing ID parameters

IDOR Exploitation

Sequential IDs in URLs let anyone access other users’ resources. Change /api/users/1 to /api/users/2 and read their profile.

How it works

1. 1.Find any URL or API call with a numeric or predictable ID
2. 2.Increment or decrement the ID
3. 3.Observe that the server returns another user’s data
4. 4.Automate to extract all user records

Payment Flow Manipulation

Vibe-coded payment flows often validate on the client. Intercept the request to change the price, skip the payment step, or replay a successful transaction.

How it works

1. 1.Start a checkout flow and intercept the API request
2. 2.Modify the price field or remove payment verification
3. 3.Submit the modified request
4. 4.Receive the product or service without paying

Dependency Confusion Attack

AI hallucinates package names that do not exist. Register that name on npm with malicious code and wait for the developer to install it.

How it works

1. 1.Find AI-suggested packages that do not exist on npm
2. 2.Register the package name with a payload
3. 3.When the developer runs npm install, your code executes
4. 4.Exfiltrate environment variables, secrets, and tokens

Tools most targeted by vibe hackers

Lovable

Full Supabase stack exposed in every app. Public anon keys + no RLS = open database.

Bolt.new

Deploys instantly with secrets in environment. No security review step in the workflow.

Replit

Public repos by default. Secrets in .env files that get forked and exposed.

v0

Frontend-only auth patterns. Server components with client-side security assumptions.

How to defend against vibe hacking

Scan before you ship

Run an automated security scan on every deployment. Catch exposed keys, missing auth, and open endpoints before attackers do.

Enable Row-Level Security

If you use Supabase or Firebase, configure RLS policies for every table. Your anon key will always be public. RLS is what protects the data.

Add server-side auth

Never trust client-side auth alone. Validate tokens and permissions on every API endpoint, not just in React components.

Audit your dependencies

Check that every npm package the AI suggested actually exists and is maintained. Remove packages you do not need.

Test your payment flow

Try to bypass your own checkout. Modify prices, skip steps, replay transactions. If you can do it, attackers will.

Related Resources

Vibe Coding Security Risks

Complete list of 24 risk categories in AI-generated apps

Common Security Flaws

Code examples of each vulnerability with secure alternatives

Penetration Testing Guide

How to test your own app like an attacker would

Token Leak Checker

Check if your API keys and tokens are exposed

Test your app before hackers do

VibeEval runs the same checks attackers use – exposed keys, missing auth, open endpoints, IDOR vulnerabilities – and shows you exactly what to fix.