Skip to main content
  1. Home
  2. Computing
  3. News

Your coworker’s AI-built app might be leaking company secrets

Thousands of AI-built apps are spilling secrets online

Add as a preferred source on Google
girl coding on computer
Christina Morillo / Pexels

AI coding tools have made it ridiculously easy to build a web app, and it only takes a few minutes to set up now. This ease has lowered the barrier to app development, which is causing a new set of issues. So what happens when these AI-made apps go live without anyone checking the locks? You get secrets spilling out all over the internet.

A WIRED report highlights a major security problem around so-called “vibe-coded” apps, which are built using AI development platforms such as Lovable, Replit, Base44, and Netlify.

Why this is a bigger issue than you think

Security researcher Dor Zvi and his team at RedAccess analyzed thousands of these apps and found more than 5,000 that had little to no security or authentication. Most of these apps could practically be accessed by anyone who found the ‘right’ URL. A few of these had only minimal barriers, allowing visitors to sign in with any email address. Nearly half of these exposed apps appeared to contain sensitive data like medical information, financial records, corporate presentations, strategy documents, and customer chatbot logs, said Zvi.

The investigation reportedly also revealed hospital work assignments with personally identifiable information, ad purchasing data, market presentation strategies, sales information, and even customer conversations with their names and contact details. Several of these apps were still online, although WIRED couldn’t verify whether all the data it reviewed was real or sensitive.

How vibe coding has become dangerous in IT

This story isn’t just limited to one batch of sloppy AI apps. These tools allow people who may not have software engineering or security experience to build and publish apps quickly, which are often outside normal IT approval processes. So a member of the marketing team, operations worker, or founder can create a tool for internal use, connect it to real data, and accidentally leave it open to the web.

Recommended Videos

Zvi compared it to the old wave of exposed Amazon S3 buckets, where misconfigurations led companies to leak sensitive data at a massive scale. Security researcher Joel Margolis told WIRED that AI coding tools only do what’s asked of them. So if a user does not ask for security explicitly, the app may not be secure by default.

What did the companies say?

Replit CEO Amjad Masad wrote on X that some users had published apps on the open web that should have been private, adding that public apps being accessible online is expected behavior. Meanwhile, Lovable said it takes exposed data and phishing reports seriously and is investigating. Base44 parent company Wix stated that its platform provides security and visibility controls, arguing that public access reflects user configuration choices rather than a platform vulnerability.

This is a reality check for anyone treating vibe coding like a fast track to startup success. AI-generated apps can move quickly, but that speed comes with real trade-offs. From weak oversight to hidden vulnerabilities, AI-built apps can become a serious problem once a product is in users’ hands.

Vikhyaat Vivek
Vikhyaat Vivek is a tech journalist and reviewer with seven years of experience covering consumer hardware, with a focus on…
Opera’s new Paste Protect feature stops the clipboard attack your antivirus can’t catch
ClickFix attacks trick you into compromising your own device, and no major browser had a native defense against them until now.
Opera Paste Protect featured

Most online scams are easy enough to spot once you know what to look for. Fake login pages, suspicious attachments, or urgent wire transfer requests are dead giveaways. But ClickFix doesn't look like any of them. It presents itself as a solution, and it asks you to do something so routine that few people think twice about it.

The technique was behind more than 53 percent of malware loader incidents last year, according to cybersecurity firm Huntress, and no major browser had a native defense against it until now. Opera is fixing that with a new feature called Paste Protect.

Read more
Apple’s M6 chip isn’t even here yet, but you’ll see M7 Macs early in 2027
Apple is reportedly already accelerating its next-generation silicon roadmap, even before the M6 has launched.
Apple MacBook

The M6 chip is still expected to debut later this year, but Apple may already be preparing for what comes next. According to Mark Gurman's latest report for Bloomberg, the company is aiming to introduce its first M7-powered devices as early as the first half of 2027, hinting at a much faster silicon refresh than many expected.

M7 could arrive alongside new Macs and iPads

Read more
The entry-level MacBook Pro could get a design refresh in 2027, and it’s about time
Five years on the same chassis, and now both tiers of the MacBook Pro are getting a new look at once.
MacBook Pro in space grey sitting on a desk.

Apple has a new MacBook Pro lined up for launch early next year, according to Bloomberg. The company will introduce a 14-inch laptop in the first half of 2027. 

The biggest surprise, however, will be a brand-new design language. The outlet describes it as "a revamped entry-level MacBook Pro, code-named K104."

Read more