A scan of 380,000 vibe-coded apps found thousands with no authentication at all

The vibe-coding pitch since 2023 has been the same — anyone can build an app. A new RedAccess scan delivers the first real receipt. Out of roughly 380,000 web applications built with AI coding tools and deployed through services like Netlify, about 5,000 had no authentication of any kind. Roughly 40 percent of those unprotected apps held sensitive data — user information, conversation logs, payment details, internal credentials. The numbers landed across WIRED, Axios, and Security Boulevard this week, and they describe a category of failure the industry has been quietly stockpiling for two years.

The named generators are the platforms most non-developers already know. Lovable, Replit, Base44, and the broader ecosystem of “build-from-prompt” tools have been pitching the same implicit promise — AI replaces not just the typing of code but the engineer in the loop. Pick a prompt, watch the app appear, ship it through Netlify or Vercel, share the link. What RedAccess’s scan documents is what has been silently going live without anyone in that loop asking whether the app needs a lock.

The vulnerabilities are not subtle. The unprotected apps did not require a clever attacker — they required a browser. Many shipped with Supabase or Firebase keys embedded directly in the client bundle, which means an interested party can read the database. Some allowed write access to the same database, so a stranger can edit your users’ records. A few exposed admin endpoints. The category of flaw is not a zero-day or a misconfigured edge case. It is the absence of the security layer entirely.

You May Also Like“Mecha Party” VR Game Gears Up for Global Expansion and Adds New Mechs to the Mix

Skepticism belongs here, because the temptation to blame the tools is large and partially wrong. A junior developer building the same app from scratch without supervision would ship something similar. The difference is volume. Vibe-coding tools lower the floor enough that the total number of apps deployed by people who cannot independently reason about authentication has exploded. The tools can technically prompt for auth scaffolding, but the default flow does not enforce it, and the users who most benefit from these tools are precisely the users least equipped to notice when it is missing. Lovable has said it is working on default auth scaffolding. Replit has pointed to its existing security defaults while acknowledging that users can disable them. Base44 has not commented publicly. The platforms are reacting — the question is whether the reaction outpaces the deployment curve.

The structural reading is harder to swallow. For two years the industry has been pitching the removal of professional review from the deployment pipeline as a feature, not a cost. The RedAccess data is what removal looks like at scale. The apps work for the user who built them and they work for whoever else finds the URL. The next two years are likely to be a slow accumulation of these incidents until either the platforms enforce authentication at the framework level by default, or regulators force them to. Both can happen. The European Union’s product liability regime is already being reread to cover AI-generated software, and US state attorneys general have started circling.

What users of these platforms can do today is narrow. RedAccess has published guidance for the four named tools — check whether your app requires login before any data access, audit the keys shipped in the client bundle, and assume any URL you have shared is being scanned by someone. The platforms have promised improvements. The scan that produced this story took a few days. The next one is already being planned.

More Like This

The Taming of the Group Chat: How WhatsApp is Engineering Our Digital Social Lives

Scathe: Enforcer Edition available now

The growth of online live entertainment

Vin Diesel, Russell Crowe and Gerard Butler for Ark 2, the new video-game

Rube Goldberg Machine Contest Winners | Shake & Pour A Box Of Nerds

War Mongrels Renegade Edition Out Now for PlayStation 5