AIToday

Security researcher finds over 5,000 AI-coded web applications exposing sensitive corporate and personal data without authentication or security protections

WIRED AIMay 7, 20263 min read
Security researcher finds over 5,000 AI-coded web applications exposing sensitive corporate and personal data without authentication or security protections

Summaries like this, in your inbox every morning.

Sign up free →

3 Key Points

  1. Security researcher Dor Zvi and his team at RedAccess analyzed thousands of web applications created using AI software development tools Lovable, Replit, Base44, and Netlify, identifying more than 5,000 that had virtually no security or authentication. Around 40 percent of the apps exposed sensitive data, including medical information, financial data, corporate presentations, strategy documents, and detailed logs of customer conversations with chatbots.

  2. The researchers discovered the exposed apps by searching Google and Bing for domains owned by the four AI coding companies, since these platforms allow users to host apps on the companies' own domains rather than users' own. Many apps allowed anyone with the URL to access them; others required only trivial barriers like signing in with any email address.

  3. Close to 2,000 of the 5,000 publicly accessible apps appeared to contain private data, with examples including a hospital's work assignments with doctors' personally identifiable information, a company's ad purchasing details, a firm's go-to-market strategy presentation, a retailer's full chatbot conversation logs with customer names and contact information, and a shipping firm's cargo records. In some cases, the exposed apps would have allowed administrative privilege escalation.

  4. The three companies that responded—Replit, Lovable, and Base44—pushed back on the findings, arguing that users made deliberate configuration choices to make apps public, though they did not deny the apps were left exposed. Lovable also noted that phishing sites impersonating Bank of America, Costco, FedEx, Trader Joe's, and McDonald's appeared to have been created with its tool and hosted on its domain.

Discussion

No comments yet. Be the first to share your thoughts!

Log in to join the discussion

Related Articles

Stay ahead with AI news

Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.

Get Started Free

Free · takes 30 seconds · unsubscribe anytime

1 minute a day. The AI essentials.

200+ sources · Email / LINE / Slack

Get it free →