Thousands of AI-Built Web Apps Found Leaking Sensitive User Data
Security researchers analyzed over 5,000 applications built with AI coding tools like Lovable, Base44, and Replit and found that roughly 40 percent exposed sensitive data due to missing authentication and misconfigured backends.
Key Takeaways
- Researchers found more than 2,000 vulnerabilities and 400 exposed secrets across 5,600 AI-built web applications
- Roughly 40 percent of the apps exposed sensitive data including medical records and bank account numbers
- Common root causes include misconfigured databases, missing row-level security, and hardcoded API keys
- AI coding tools generate functional code but consistently skip fundamental security practices
Security researchers have uncovered a troubling trend in the world of AI-powered app development. A sweeping analysis of more than 5,000 web applications built with popular artificial intelligence coding tools found that roughly 40 percent exposed sensitive corporate and personal data on the open web, raising serious questions about whether the industry is moving too fast.
Vibe Coding Convenience Comes at a Cost
The research examined apps created with platforms like Lovable, Base44, and Replit, tools that let anyone build functional web applications using simple text prompts. These so-called vibe coding platforms have exploded in popularity because they allow people with no programming experience to ship products fast. But speed has come at the expense of security.
Across the 5,600 applications studied, researchers discovered more than 2,000 vulnerabilities, over 400 exposed secrets such as API keys and access tokens, and 175 instances of leaked personally identifiable information. That exposed data included medical records, bank account numbers, phone numbers, and email addresses. On Lovable alone, 170 out of 1,645 apps had critical flaws, with 303 vulnerable database endpoints left completely unprotected.
Why AI Tools Miss Basic Security
The root cause is surprisingly consistent. Nearly every vulnerability traced back to the same preventable mistakes: misconfigured Firebase databases, missing row-level security in Supabase, hardcoded API keys, and exposed cloud storage backends. These are fundamental security practices that experienced developers learn early in their careers, but AI coding assistants often skip entirely when generating applications.
Large language models, or LLMs, generate code that works on the surface but lacks the defensive layers needed for production use. When a user asks an AI tool to build a login page, the model may create a beautiful interface without ever implementing proper authentication or access controls behind it.
The findings highlight a growing tension in the tech industry. AI tools are democratizing software development, letting more people build and launch products than ever before. But without built-in security guardrails, those same tools risk flooding the internet with vulnerable applications that put real people at risk.
Industry experts warn that AI coding platforms must prioritize security-by-default features before the next wave of data breaches makes the problem impossible to ignore.
Stay Informed
Weekly AI marketing insights
Join 5,000+ marketers. Unsubscribe anytime.