AI app builders published thousands of apps with data leaks

Platforms like Lovable, Base44, Replit and Netlify use AI to allow anyone, even without programming skills, to create fully functional web applications in seconds. But Wired researchers discovered a crack in this utopia: thousands of applications containing critical confidential data are lying open on the internet — API keys, passwords, authorization tokens. And no one is doing anything about it.

How AI Builders Work

Services like Lovable and Base44 are built on large language models like GPT-4. A developer simply describes what they need: "Make me an app for tracking expenses with Stripe integration." Within seconds, the system generates a complete React component or Vue application with frontend and logic. Then the project can be immediately published via Netlify with one button or hosted on Replit. This is revolutionary for development speed. Usually an MVP requires weeks or months of work. Here — hours, sometimes minutes. It's no wonder hundreds of thousands of developers have started using these services.

Scale of the Problem

Wired decided to check what ends up in open access. Researchers analyzed thousands of applications created on these platforms and published to the open internet. The result was alarming: a significant portion contained API keys, database passwords and other confidential data. These are not isolated cases of carelessness. This is a systemic problem: the platforms have no mechanisms to prevent leaks. When code is generated automatically and published with one button, the security review process simply disappears.

What Data Leaks

• Third-party service API keys — OpenAI, Stripe, AWS, Google Cloud, Twilio. All of them are in client-side JavaScript code, available for download to anyone.
• Database passwords — credentials for MongoDB, PostgreSQL, MySQL often unhashed and visible in the application source code.
• Authorization tokens and session cookies — with which you can intercept other people's accounts.
• Private encryption keys — used to protect user data.
• Internal IDs and architecture — even if individually secure, together they reveal the application structure for attacks.

When researchers found these keys, they were able to access user accounts and data. Moreover — bots that constantly scan the internet for such leaks are already finding them automatically.

Why This Happens

The main reason is simple: development speed leaves no time for security. When an MVP can be created in 10 minutes, there is no code review, no vulnerability checks, no standard process. On large projects, this would have been caught. The second reason — the platforms themselves do nothing. They don't warn the developer that an API key has been found in the code. There's no automatic scrubbing of sensitive data. No hint: "Make sure you deleted all passwords before publishing." Just publish — and that's it. The third reason — developers are not trained. A person who couldn't code yesterday is creating an application with real logic today. No one explained the basic security rules to them.

What This Means

This is a classic case of democratization that didn't go quite right. The tools really do allow more people to create. But at the same time, the field for errors expands. For businesses — if you use these platforms for production applications, simply creating code is not enough. Be sure to manually check it for leaks before publishing. Look for API keys in the source, passwords in configs, private data in logs. For the platforms themselves — this is a critical moment. They need built-in security checks, warnings when keys are detected, maybe even rejection of publication. Otherwise the reputation will suffer.