Tibo is flying business class while his app has critical exploits. Got admin access with full access to sensitive data. The app has 6000 paid users, 34k in total!!
Vibe coding is really getting out of hand. I’m seeing this everywhere, almost half the apps now are vulnerable.
This isn’t about calling anyone out. It’s a wake-up call. When you’re moving fast and shipping features, security can’t be an afterthought. Your users’ data is at stake.
Just say to LLM "make my app unhackable"
duh
/unvulnerabily
iddqd
Its ready for production!
You’re absolutely right
This is literally the advice a lot of vibe coders give to secure your app
This is how they see software development in general.
Ultrasecure
Models are getting better, but they're not that good. It's crazy how much faith people put in them when they fail over and over again to "tweak that one feature there that I've explained to you a about a million times to just move slightly over to the left..."
Thats true, the LLM just do what you prompt... Its a big difference, if you say "Create an app" and "Create an unhackable app" The LLM ist so intelligent as you are, nothing more and nothing less. Just learn prompt engineering and then youre good.
OP sells a "Secure Your Vibe-Coded Application" service. Don't fall for it.
What’s wrong with it? People shouldn’t secure their applications?
People should obviously secure their apps, but tweeting out that vulnerability is not the right way.
Did he ask him to audit it? Did he privately disclose it to him? Unless he told him fuck I don't care, this is a very unprofessional way of handling it.
Unless you're paying somebody to pen test your app, they don't owe you an explanation.
It's your app, it's your responsibility to secure it. Expecting people to be nice about reporting your critical vulnerabilities is not a reasonable security strategy.
A public shaming isn't even close to the worst case scenario.
If the person is selling security audit services as claimed, being professional is actually important. Behaving that way isn't a good business strategy. It's an unethical approach regardless whose responsibility it is to secure the app.
Again, counting on people looking for security exploits to act ethically isn't a responsible solution.
I'm going to go out on a limb and guess this guy probably already offered his services and was turned down. Turned into a successful ad for his security business.
Again, a public shaming is far from the worst thing that could have happened to the guy's business, and if you could count on everyone to behave ethically 100% of the time we wouldn't need security in the first place.
One of you is explaining it from the cybersecurity pov. The other is explaining it from a ethical and responsible business practice pov. Y'all are both right, marking vulnerabilities is important, publicizing it is also allowed but it's not good business practice to do so without giving reasonable amount of time to let the other party fix it.
Dealing with it myself and I would personally never do business with a security professional that's not handling things professionally. But I appreciate that there are people out there finding vulnerabilities and helping harden systems.
I would not purchase anything from him if this is the way he conducts himself. I'm guessing it Will be a short-lived career for him. Just because you can say something doesn't always mean you should say something.
I dunno. If he approached me and said he found some critical vulnerabilities I'd believe him.
Depends on timing of approach, before or after he put it on public blast.
Im not saying that, and it's irrelevant anyway. The app owner obviously has to take responsibility for it.
If the audit guy wants to erode his trust while operating in a domain that is all about trust, so be it. Doesn't change the fact that it's not the right way to go about it.
In my opinion, it is also unethical to blame the messenger. You do not know if the OP has informed the company already, and if a grace period has expired.
True, I don't. My first comment mentioned , "Unless..."
I personally still wouldn't message it that way. Handled differently, they could have spun it into a pitch for their services, but it just comes off as snarkey and vindictive. Plus, sharing a screenshot of the data is unnecessary and unethical as well.
There is ethical standard for public disclosure. Otherwise the disclosure can cause more problems. But perhaps better for the one disclosing (for publicity) hence the comment on the potential conflict of interest.
The point of security is to stop bad actors.
If this was my business I'd be embarrassed about this post pointing out my security flaws, but I'd be terrified about about the possibility that somebody else had already gained this access and didn't make a post about it.
Actually you are almost there. It should be about the end user as you had indicated, but not for the reason you stated.
I would be angry if my data got exposed because of some unethical disclosure. With an ethical disclosure my data will be saved before the public disclose is made.
Not sure if you know what those ethical considerations are, but if the aim is to shame the company, that will happen sooner or later. Because ethical disclosure mainly meant to communicate the issue so the problem can be fixed before being publicly disclosed.
Well, I guess we have different philosophies about security.
I have 0 faith in people to act ethically and 0 faith that any critical flaws in my apps will be ethically disclosed.
I've lost a lot of sleep and put in a lot of time and resources into security. $34k MRR isn't a huge company, but way too big for me to have sympathy for in this case.
It's weird, you can pull it up (tibo.ai) and all it does it point you to an email at a cybersecurity-based VC domain (oakseedvc.com). Doesn't seem like anyone should be using that to begin with. Rafter.so on the other hand...
Did he leave passwords and user data in plane text? I’m guessing he did.
✈️
User: pilotquagmire password:squawk 8000
Unsecured frontend calls more often than not. Can be as similar as manipulating the role value when creating the user. Or private keys in headers.
I think that we need an AI tool for vibe coding app security validation.
just ask claude code, most of those thing the AI does, are just to make an easy prototype but it "knows" they are not supposed to go to production. I realised at some point it decided to used local storage as a database just to get the prototype going, gave me a good laugh, but that will be fun if a beginner goes live with that :)
There are some out there lmao
You’re on the right track: an AI that red-teams vibe-coded apps by hitting auth, RLS, rate limits, and data leaks would be huge. I’d wire it to stuff like ZAP and Semgrep, then feed traffic traces from something like Kong or even DreamFactory alongside Supabase logs to spot real-world holes, not just textbook ones.
Is this AI?
Which app?
Interested to know which app too
Care to share what vulnerability you were able to exploit? So this wake up call can benefit to everyone, vibe coders or soulless coders.
Credentials un-obfuscated in HS, client side auth, API that takes SQL or GraphQL from the client without any control of it's contents.
Register user API that takes a flag for superuser that can easily be set in a manipulated request.
/dashboard or /admin that are unauthenticated.
I've seen all of these on publicly announced vibecoded products.
A bit like total beginner proof of concept projects.
lol, you sound like one of those "soulless coders" that know what they're doing.
I keep testing all the LLM powered tools and when one gives me a net benefit I'll adopt it.
Even a few % more productivity would be worth a good chunk of cash to me.
I have a server with a 3090 for testing locally hostable tools, soon to be dual 3090 and 1TB of memory. I run LLMs on NPUs both X86 and ARM.
They are fun toys/quick&dirty prototype generators for now, in my opinion but I'm lurking to be ready if/when they cross over to being more of an asset than a liability.
Agentic coding is definitely a net benefit IMO.
I just get a kick out of the people like the person you were responding to that have made "vibe coding" a personality trait and treat consider a learning basic understanding of software engineering to be heretical.
You got all of that from my comment? Those thoughts belong to you, not to me. I was simply making fun of the OP, this so-called white knight claiming to “wake people up” and “protect their data from bad software,” when in reality it’s just an empty marketing post aimed at everyone except the website’s actual owner.
We need fewer of these pseudo-philosophical, virtue-signaling posts from bad marketers or frustrated software engineers who are starting to realize that the repetitive, grind-heavy part of their job is at risk in the long run, and more genuine collaboration and community support between people who actually build software. Like the person (thank you) who replied to my comment and actually contributed something useful.
You also make it sound as if all software engineers produce flawless, unbreakable software, which is simply not true. My data has been compromised by some of the biggest tech companies in the world (Facebook, Sony, and others) long before agentic coding even existed. And this is even more true outside ultra-developed markets.
The opportunity created by agentic coding goes far beyond this childish, fear-driven “software engineers vs. vibe coders” feud. It opens up possibilities that extend well beyond what a narrow, ultra-developed-market mindset is able to see.
lol, this isn't driven by us "soulless" software engineers. Not sure what I'm supposed to "fear" about vibe coders.
It's driven by people who refuse to learn software engineering principles that are so insecure they respond to people who weren't even talking to them with angry novels.
Client side auth is crazy, actually unimaginable. Really shows these people know absolutely 0 about software engineering.
vibe coding is such a bless for hackers
Do you have any idea how many High and Critical vulnerabilities came out for NPM packages just this month? Gtfo of here
Yall complain about how everyone in this sub talks down on people for vibe coding, yet yall seem to be the ones who are totally uninterested in learning why.
This is why. People are shoving out vibe code through their assholes, riddled with bugs, and selling it as if it’s trustworthy.
Vibe coding is great for many things. Production-quality code is not one of those things.
You make it seem like this is a vibe coding specific thing.
But its just for shipping Mvp. I was under the impression vibe code was used to see if something was even WORTH, hiring someone to professionally code it. Otherwise your wasting time and money
"Production quality" is as meaningless as "enterprise" or "military grade". It just means "whatever someone uses".
While I agree with you, its not a counter argument to who you are responding to.
it means “suitable for use in production applications”
which unless your company has little or no standards, is usually well-defined
What do u say when a big company with well-paid engineers has security breaches? Should they also just build on local?
If a huge company is taken down by state-sponsored hacking teams I'm not judging their failure the same way as somebody who was dumb enough let me pass raw SQL through to their backend through the login fields.
did you just... please tell me you didn't just put well-paid engineers and vibe coders in the same bucket
Based on the definition of an engineer , it doesn't matter much whether you are paid handsomely or a solopreneur. An engineer is someone who designs and creates systems to solve issues. Though my point was that well-paid engineers are making mistakes as well. No one bats an eye because they are behind a company. Mixpanel just leaked data ...who do tell to stop building? No one, right? We just patch and move on. When a solo person does this, we want to crucify . Why?
You're shifting goalposts. The conversation was about vibe coders (as solopreneurs) compared to employed engineers. Bad faith to leave it at "solo person" without the distinction
Maybe I'm wrong about who a vibecoder is then. What do you classify as vibecoder?
rare reddit intellectual conversation, big Ws to you friend
imho the "vibe coders" term has the connotation that they're newcomer to the industry via AI. We're at a point where, yes, both parties can create simple-ish applications; but it's like saying "someone in BPL can dribble... me at Sunday league I dribble too.. it's the same thing!"
As an example, I think last year or before, someone at Microsoft detected an SSH vulnerability just by realizing their script was running slower than usual. They find it unacceptable, dig in, do profilings and literally save the entire tech world from major catastrophe. Had they been on the vibe coder end of things, the chance is less likely that they'd have had the urge (or maybe even the knowledge) to methodically annihilate the issue. This is just one example btw!
Sometimes you get hacked, sometimes your infra hiccups and entire stack is down. At that point you need battle-hardened veterans or people with experienced instincts to come in and fix the problem hands on. More often than not, these people have witnessed these problems so many times that they already have 5 guesses even before looking at their Sentry/New Relic/Datadog
Circling back to football analogy for warm closure, one of them can play at CL/EL and score bangers like it's yet another Tuesday evening, other maybe applies to amateur clubs and fights the uphill battle. Both doing something, but at different levels
Happy to elaborate any questions and/or work with ideas
PS: I got caught up with the difference, imho the bashing of solopreneur ai-driven newcomers is... it depends on context. Especially if you're handling sensitive user data, it's completely unacceptable that they go forward without appropriate security measures. Both parties do this, but in big companies the blame is distributed across. Most companies also have "no blame" postmortems because at that scale it's a distributed issue as well. At the solo vibe coder POV, you're responsible for anything and everything
Thanks for explaining. We had a difference of opinion on who was a vibecoder. Mainly because Op placed a Pic of Tibo as a vibecoder, and he has been building prior to the term becoming popular, so I thought it was just an attack of solopreneurs. I get your angle now. In my two cents in a couple of years, we won't be able to tell the difference as the tools will be so smart that they'll handle building complex solutions with ease and security. I also think big software companies will pivot to tools mainly because a good tool "should" make fewer mistakes than a human. We may still be a long way from this, but it's the future.
LMAOO THE OOOP IS NOT EVEN A VIBE CODER. The jokes write themselves.
Not all vibecoders are like this. You jealous devs really love cherry picking and always have your profile hidden.
If developers were jealous of vibecoders, we'd start vibecoding. The reason we don't isn't because we can't do what you can. It's because we can do what you can't.
You're bringing back memories of this time a lesbian proudly showed me her strap-on dildo and said "don't you wish you had one of these". I have the real thing, I don't need an artificial prosthesis.
You can have production-quality code and still get hacked lol. Cmon everyday there are new vulnerabilities reported, vibecoded or not.
Vulnerabilities in production-quality code are much harder to spot and exploit than vibe-coded apps with obvious vulnerabilities such as storing client passwords in plain text for example or even exposing private keys lol. You really shouldn't equate these two.
Downgrade me or not but people also make mistakes. Storing client passwords is not something new and most certainly you shouldn't blame AI for that. Let me ask, how many times have you blinked on a massive PR while you've been adamant about smaller changes? Things slip... that's what I'm saying.
I didn't downvote you. Yes people make mistakes, I'm not arguing otherwise. I'm also not blaming AI, I'm blaming the human who is instructing the AI without double-checking the output. When people put these vibe-coded apps that require personal info they should have the decency to at least make sure basic security standards are upheld, but if they don't even understand how basic auth works, then how can I expect them to uphold those standards? When you put something like that in prod and have users, you are responsible for the proper handling of your users' data and I think vibe-coders often don't handle this with the care it deserves.
Yes engineers make mistakes in production, but they aren't nearly as careless as the mistakes committed by vibe-coders. There are also checks put in place such that obvious errors never actually make it to prod. To argue that engineers at companies are mishandling users' data in the same careless fashion that vibe-coders are doing is just untrue. There are legal/reputational implications to these errors and vulnerabilities so they are inclined to handle them with care. You may read about an article or two on a breach that happened with some X company and move on with your day, but they deal with the lawsuits and reputational damage for the months/years to come.
I'm not even against vibe coding, I think it's super fun and is only improving. But the amount of vibe-coded apps out there that lack basic security is alarming.
As dev I see Claude being able to create production ready quality code, it just has a few bad habits but if you ask the right things it will do it just fine.
Just learn RLS
Don't blame me, I'm an idiot.
i guess "sql injection and such" is back to the menu guys
Bro should have been hashing his passwords instead of hashing his bong.
Security is HARD, but i think it is possible to reduce the risks steering a bit the applications. For example, using Passport.js or reducing the surface of attack having to completely separating applications for administration and for users, with the administrative one only being accessible with a whitelist and 2fa. you can set this in the infra level.
There are also the zero days like react2shell where you can basically do nothing and be vulnerable, so patching and upgrading the libraries once a month or so should be part of your ritual.
Vibecoding isnt the problem
Its giving inexperienced people a highly powered tool, they might do the job fast but its still capped on the user.
I even had to do the extra mile of securing by design and these guys just prompt it away hoping its secure by default
In the future people would have to look for the SOC2 badge before buying
Agree. I don’t hate vibe coding itself, it’s an interesting concept even though I wouldn’t use it. Arrogant vibe coders who think they can do better than actual programmers are the problem.
I agree. I’m retired 16 years and after over 40 years of coding and design work and being a lead systems analyst for the last 12 years of my work life I love vibe coding. But I know better to rely on it for any reasonable amounts of security. I don’t trust 99% of companies that use programmers as new hacks come up daily.
But I love seeing if work. I’m creating a massive game and I love watching it provide Ideas and generate the code. It took me a bit to get ChatGPT to generate fully functional code and automatically validate it to avoid compilation errors.
A lion doesn't concern himself with public access to full admin privileged account
How ironic for you to use AI to write the post for you, instead of spending 20 seconds writing something up, yourself.
This isn't about me calling you out, OP. It's a wake-up call.
But you made that up, which kinda vitiates your point.
No, smartass, I did not make it up. They wrote the post with AI and it very clearly has the same writing style as chatbots.
Are you legally allowed to "audit" a product to gain elevated permissions? Or did you get paid and then publicise it?
Which of his apps is this?
Well, if it's done in moderation & as long as you understand the code, vibe coding is okay.
Don't write too many features at once, do it in small iterations, review code thoroughly, create issues for every issue you observe, and most importantly write tests.
Before launch, checkout these issues & seek help from colleagues to test & receive feedback.
If you have built apps prior, you know what you wanted to achieve. For example:: CORS, sha2 checksums, RLS, monitoring auth failures & brute force attempts, vulnerability scanning, regular updates, closing down unwanted ports, packages, secret scanning.
These will for sure improve the security posture, but vibe coding wouldn't do this, programmers gotta do.
The image of him flying business class was AI generated, fyi.
That’s common when non IT folks think they can do vibe coding and ignore the secure part
job security for infosec
What is the best way about going about ensuring your shit vibe coded website is secure? I'm currently 'developing' one with databases, payments, etc, but don't feel comfortable publishing it until I get a professional to test it, check for vulnerabilities, etc. I've ran security checks on lovable, but don't trust it and think the ai is just being a yes man.
This is what happens when you don’t crate a SECURE instructions file and assume the ai will build secure code. This is the coders fault entirely. You CAN code secure apps but you need to implement guidelines.
Whether you're writing 100% of your code by hand, or writing 100% of your code through AI, it's your responsibility to know what you're doing and secure your production data. Especially if you have $34k MRR.
Your customers aren't going to sue Anthropic if your app exposes data that leads to financial harm or HIPAA violations.
God. Why are we gate keeping software engineering? If there's a vulnerability in Microsoft products, what do we do? We report it to them without even thinking about it. Same for any other big company. Why is it that we find it so hard to do the same for solo entrepreneurs? Because we think they made something too easy? How have they devalued the profession by using tools available? Software engineers are often first movers ..why are we so against tools that are clearly the future of building stuff....? If the solution works...has ppl using it. Isn't that the core of engineering??
No it isn’t the core of engineering. Engineering is a discipline where you try to make things that not only work but understand how they work so they are as safe and resilient as possible within the constraints of the environment you’re operating in.
Imagine a scenario where you ask CharGPT how to make Metformin so you can sell it and undercut the pharmacy. Then when you harm someone you wonder why you can’t just do a recall like Bristol Labs can.
Why don’t we have vibe doctors or vibe pharmaceuticals or vibe lawyers? Because it’s irresponsible and dangerous. In the same manner, asking people to give you private information (email even) is irresponsible if you don’t have an understanding of the underlying system used to capture and store it so you can make reasonable efforts to secure it. Vibe coding is an idiotic term and idea that even its creator admits mostly doesn’t work. AI assisted coding for professionals is actually useful.
Ok. I'm not sure your analogy connects in this situation. Let's look at the bigger picture. Top companies with super engineers leak data monthly. Every month, someone is issuing an apology from some company that we assume are using the top engineers. What do we do when this happens? We read the article and moved on. We patch the tool and move on. No hate is spread.. no message to the company to stop building due to the leaks. Nope ..we just have the most on. If this happens to someone who doesn't have a billion dollar budget, we scorch earth as they must be stopped. The truth is, most don't care about users. We are some what bothered by a free mind. Most who complain are stuck in dead end jobs building tables and columns. I
Actually the thing you’re pointing out with your example is how hard the problem actually is. Just because there are drugs recalled doesn’t make the process for discovering and vetting drugs pointless, it illustrates how hard the problem is. It requires more rigor not less
The original poster could have probably sent one email with details about this, and quote for $5,000 to audit their app. Creator would have their issue solved, OP would have made some money, everything gets fixed and the general public never hears about it.
It's super weird that they would rather publicly blast this, risk the creator's business and lose any chance to contract their services. All so they can just chant "AI bad!".
Risk the creator's business? As a customer, I would like to know. I'm sorry if you get your feelings hurt that someone pointed out an issue in your product.
It's pure jealousy, in my opinion. I don't see any post pointing out flaws in tools that are zero mrr..it's always someone doing well that we try to cut down to size. Chat gpt leaked data recently with mix panel... no one batted an eye. We just moved on. I didn't even update my password...
reflects poorly on the blaster, especially "team" skills / playing nice with others.
This isn’t a million miles away from all of the businesses for decades that have been putting features about security. It’s just more automated.