
Summaries like this, in your inbox every morning.
Sign up free →Security researcher Dor Zvi and his team at RedAccess analyzed thousands of web applications created using AI software development tools Lovable, Replit, Base44, and Netlify, identifying more than 5,000 that had virtually no security or authentication. Around 40 percent of the apps exposed sensitive data, including medical information, financial data, corporate presentations, strategy documents, and detailed logs of customer conversations with chatbots.
The researchers discovered the exposed apps by searching Google and Bing for domains owned by the four AI coding companies, since these platforms allow users to host apps on the companies' own domains rather than users' own. Many apps allowed anyone with the URL to access them; others required only trivial barriers like signing in with any email address.
Close to 2,000 of the 5,000 publicly accessible apps appeared to contain private data, with examples including a hospital's work assignments with doctors' personally identifiable information, a company's ad purchasing details, a firm's go-to-market strategy presentation, a retailer's full chatbot conversation logs with customer names and contact information, and a shipping firm's cargo records. In some cases, the exposed apps would have allowed administrative privilege escalation.
The three companies that responded—Replit, Lovable, and Base44—pushed back on the findings, arguing that users made deliberate configuration choices to make apps public, though they did not deny the apps were left exposed. Lovable also noted that phishing sites impersonating Bank of America, Costco, FedEx, Trader Joe's, and McDonald's appeared to have been created with its tool and hosted on its domain.
No comments yet. Be the first to share your thoughts!
Log in to join the discussion




Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.
Get Started FreeFree · takes 30 seconds · unsubscribe anytime
1 minute a day. The AI essentials.
200+ sources · Email / LINE / Slack