Vibe-coding vulnerabilities: how AI-generated websites create security holes for hackers

Vibe-coding has given millions of people the ability to create applications without programming knowledge — it's enough to describe a task in plain language, and AI will generate working code. It's convenient, fast, and often produces excellent results. But behind this accessibility lies a problem that most beginners simply don't think about: AI writes working code — but not always secure code.

The Story of One Website

Bob Starr, a project manager in the technology industry, used vibe-coding to create the "Boomberg" website — a tool that visually showed how much US tax money goes to technology companies. He was satisfied with the result and immediately launched the project to public access — this is how vibe-coding works: fast, from idea to product, without intermediate stages. Only after several months did Starr discover an alarming detail: the code contained an SQL injection. This is a classic vulnerability where an attacker can read or modify data in a database simply by formulating a special query. The vulnerability existed from the very start — it's just that no one noticed it.

"This was a clear oversight on my part.

A complete blind spot when learning a new technology. And I'm sure others are making the same mistake," Starr acknowledged in a conversation with The Verge.

Why AI Misses Threats

AI coding tools are optimized for one thing: making the code do what's asked of it. They generate functional results quickly — but security often takes a back seat or is ignored entirely. The problem is not in the quality of generation. The problem is that a user without development experience doesn't know what questions to ask. An experienced engineer, after writing code, will always check: how does data get into database queries, who has access to administrative functions, did any secrets end up in the repository. For most vibe-coders, such questions simply don't come to mind.

Typical vulnerabilities in vibe-coded projects:

• SQL injections — code doesn't sanitize user input before passing it to the database
• Exposed API keys — secrets end up directly in the source code
• Outdated dependencies — use of libraries with known vulnerabilities
• Unprotected endpoints — administrative functions without authorization checks
• XSS vulnerabilities — unsafe data output in the browser

The Scale Is Not to Be Underestimated

Vibe-coding has long since left niche status. Cursor, GitHub Copilot, Replit, and Lovable have attracted tens of millions of users, many of whom are writing code for the first time in their lives. Some of these projects are personal experiments with no real users. But others are already running on the internet, processing real data, and open to anyone. It's important to understand: the vulnerability that Starr found is not exotic. SQL injections have been on the OWASP Top 10 list for over 15 years and remain one of the most common problems in web applications. AI reproduces them because it was trained on code that contained them.

Bob Starr's story is instructive precisely because he wasn't trying to cut corners — he simply didn't know what exactly needed to be checked. And that's the main structural risk of vibe-coding: not malice, but systemic ignorance.

What Does This Mean

Vibe-coding lowers the barrier to entry in development, but it doesn't remove the responsibility for what you release on the internet. If a project processes user data or is simply accessible from the internet — a basic security audit is mandatory. Asking the same AI to check the code for vulnerabilities, studying OWASP Top 10, or sending the project for a quick audit by a specialist — that's already a good start.