"The vulnerability we discovered was remarkably simple to exploit - by providing only a non-secret app_id value to undocumented registration and email verification endpoints." So you could sign yourself up as editor / collaborator on any app once you knew the app's ID.
Jeez, that's sloppy. My colleague in 2000 discovered you could browse any account on his bank's website by just changing the (sequential!) account IDs in the URL. In a lot of ways we've made great strides in security over the last 25 years... and in many ways, we haven't.
20 years ago the school class enrollment website allowed just that by changing account IDs in URL, we were bypassing the priority enrollment. I had fun adding my friends and I to classes we wanted.
I took a slightly different approach and simply wrote a script that checked availability every minute, and then sent me a text message alert when a seat opened up.
(Upperclassmen often switched their schedules around after the priority enrollment deadline ended)
Incredible, my university class reg system had un-sanitized input for the class search field so if you knew the SQL you could find exactly how full a class was and dump the whole table of classes without needing to wait for your reg to open.
And pretty sure you could insert your student ID into the class that way too :)
When doing large enough transactions that makes cash cumbersome, the slowness is a feature not a bug. We would want multiple reviews and time before it settled.
The value of $100 bill was much higher in 2000 and in 1969 when it became the highest denomination in circulation, so you could transact much higher value with a “wad of cash” than today.
Before 1969 we had bills up to $10,000 for a reason, they served like a credit note/T-Bill from the government, they were no longer needed after banking became robust enough for Cheques/P-Notes etc to replace them.
Paper Cash or Gold/silver coins before them are well understood solved problems, with thousands of years of experiments on size, security ,seigniorage and so on.
Hot on the wheels on the vibe-coded Tea breach. Things are looking great for vibe coding.
Don't get me wrong, I have been been more hands off (though not completely, and very prescriptive) with an SPA side project and it's going great. Claude makes way better looking UIs than my dog ugly developer UIs. But vibing auth? That should seriously count as _legal_ gross negligence.
At the moment, I would call "writing secure code that can be put on the internet" to be a super-human task. That is, even our most highly skilled human beings currently can't be blindly trusted to accomplish it; it requires review by teams of experts. We already don't even trust humans, so trusting AIs for the forseeable future (as much as "the forseeable future" may be contracting on us) is not something we should be doing.
And so as to avoid the reader binning this post into "oh just some human triumphalist AI denier", remember I just said I don't trust individual humans on this point either. Everyone, even experts at coding secure code, should be reviewed by other experts at this point.
I suspect this is going to prove to be something that LLMs can't do reliably, by their architecture. It's going to be a next-generation AI thing, whatever that may prove to be.
Agreed. Security is a task that not even a group of humans can perform with upmost scrutiny or perfection. 'Eternal vigilance is the price of liberty' and such. People want to move fast and break things without the backing infrastructure/maintenance (like... actually checking what the AI wrote).
the spectacular overcommenting has been here the whole time
Progress since then has mostly been people and tools catching up to the models, the limit of what the models can code has been pretty stagnant the last couple years
> What I don't understand is the gleeful receipt of that news by some programmers
I know there are very likely programmers that are gleeful about it, but I suspect that many of the gleeful voices we hear online are not programmers and are resentful of that fact
I see this a lot with the type of people who are making AI "artwork". They often lacked the discipline to practice and learn to make art themselves, they seem to bear an underlying resentment to people who do make art. They are the sort of people who think making art is tied to some innate talent and not something that you can practice. Now they are gleeful about AI generators because it lets them create the pictures in their head without the effort of learning a skill, and they are celebrating that they no longer suffer under the tyranny of people who actually enjoy drawing and painting
Pretty much. We are almost four years into “LLMs will make SWEs obsolete in 6 months” now. Turns out, most tools that let amateurs write bad code let pros write better code.
I wonder to what extent the vibe coding folks are dogfooding. Their platforms seem too basically work in the sense that they spit out some kind of code, so I guess there must not be too much dogfooding going on.
There’s nothing saying they didn’t do this deliberately, but it’d still be an unsubstantiated accusation to say that’s why there was a problem with auth.
For AI companies visibility is more important than the actual product. This is a characteristic of many bubbles were getting the word out is the only thing needed to get investors. Investors are scrambling to put as much money in AI as possible, so quality is not a concern for "entrepreneurs".
Me too. They make it seem like you can vibe code an entire web shop in one prompt. In reality they charge by the token so if you hit a wall trying to get the AI to do stuff you run up a huge bill but it's too late to get out.
I've got a question! I'd say what's happening with viebcoding is really an acceleration of move fast and break things. Uber and Snapchat both had major security vulnerabilities, resulting in millions of user records leaked, in their hey day of the mid 2010s. And that was WITH whatever DevOps pipeline, code review or other best practices likely in place.
What's unique about Tea or Base44 (or Replit founder deleting his codebase) is A) the disregard for security best practices and B) the speed at which they both grew and exposed vulnerabilities.
So my question is, how do you see the balance of cybersecurity and AI as everything moves faster than ever before?
> Platforms like Loveable, Bolt, and Base44
> Wiz Research has been looking into the security posture
> (recently acquired by Wix following an amazingly rapid rise)
Anyone else find all these names really surreal?
(Yeah, Google is kind of a dumb name too, but at least there's a cute story behind it.)
(Okay, I knew Wix had been around for quite some time, but I didn't expect it to be almost as old as YouTube....)
I might go to the extent of saying that this is classical example of security by obscurity, and for good or bad reasons, a lot of applications would fall into this category, one way or another.
These platforms feel like their authors just stick a big bow (uniquely branded ofc) on top of llms. I don't want to undervalue the importance of good glue code.. but that's all I see here. Doesn't deserve the glossy sheen or accolades imo.
Every single day someone dies a wrongful death, a plane crashes, a serious data breach occurs, and someone slips on a banana peel.
None of these things will ever stop the billionaire gravy train because of something called “Risk Management.” I don’t think our “vibe-coded AI slopware” is an exception.
I would expect so to some degree. Part of acquisition process is tech diligence usually done by a third party firm. But it’s not the deepest review. They run some code scans and dig into security policies and procedures, and then create a report with their findings which is used for R&W, insurance, etc.
HA HA but seriously: I predict someone's going to start a Venture Fund where all the DD is "done by AI" with equally predicable results. I'm calling it now. Bookmark this comment.
That's my take too. Perhaps $80M for free organic users was a steal?
I do think credit is due to the founder, because he was able to single handedly build and market a valuable solution. That said, he also pushed code every day without code reviews. This is how you get technical debt and security vulnerabilities so fast.
I'm happy you said something, i had mistakenly assumed the opposite: that Wix was disclosing a vulnerability they discovered themselves. Everyone wins.
Jeez, that's sloppy. My colleague in 2000 discovered you could browse any account on his bank's website by just changing the (sequential!) account IDs in the URL. In a lot of ways we've made great strides in security over the last 25 years... and in many ways, we haven't.
(Upperclassmen often switched their schedules around after the priority enrollment deadline ended)
Not as bullet proof as your approach!
And pretty sure you could insert your student ID into the class that way too :)
cash was and is still instant.
When doing large enough transactions that makes cash cumbersome, the slowness is a feature not a bug. We would want multiple reviews and time before it settled.
The value of $100 bill was much higher in 2000 and in 1969 when it became the highest denomination in circulation, so you could transact much higher value with a “wad of cash” than today.
Before 1969 we had bills up to $10,000 for a reason, they served like a credit note/T-Bill from the government, they were no longer needed after banking became robust enough for Cheques/P-Notes etc to replace them.
Paper Cash or Gold/silver coins before them are well understood solved problems, with thousands of years of experiments on size, security ,seigniorage and so on.
Don't get me wrong, I have been been more hands off (though not completely, and very prescriptive) with an SPA side project and it's going great. Claude makes way better looking UIs than my dog ugly developer UIs. But vibing auth? That should seriously count as _legal_ gross negligence.
And so as to avoid the reader binning this post into "oh just some human triumphalist AI denier", remember I just said I don't trust individual humans on this point either. Everyone, even experts at coding secure code, should be reviewed by other experts at this point.
I suspect this is going to prove to be something that LLMs can't do reliably, by their architecture. It's going to be a next-generation AI thing, whatever that may prove to be.
We had LLMs in 2024 that you could certainly try vibe coding with, but probably shouldn't have
Just like we have LLMs today that you can certainly try vibe coding with but probably shouldn't
the spectacular overcommenting has been here the whole time
Progress since then has mostly been people and tools catching up to the models, the limit of what the models can code has been pretty stagnant the last couple years
Don't gaslight us about timelines. The boosters have been telling us amateurs can code and we're all worthless for three and a half years now.
When ChatGPT was launched, they said we'd all be on the streets by now.
What I don't understand is the gleeful receipt of that news by some programmers
I know there are very likely programmers that are gleeful about it, but I suspect that many of the gleeful voices we hear online are not programmers and are resentful of that fact
I see this a lot with the type of people who are making AI "artwork". They often lacked the discipline to practice and learn to make art themselves, they seem to bear an underlying resentment to people who do make art. They are the sort of people who think making art is tied to some innate talent and not something that you can practice. Now they are gleeful about AI generators because it lets them create the pictures in their head without the effort of learning a skill, and they are celebrating that they no longer suffer under the tyranny of people who actually enjoy drawing and painting
What's unique about Tea or Base44 (or Replit founder deleting his codebase) is A) the disregard for security best practices and B) the speed at which they both grew and exposed vulnerabilities.
So my question is, how do you see the balance of cybersecurity and AI as everything moves faster than ever before?
Anyone else find all these names really surreal?
(Yeah, Google is kind of a dumb name too, but at least there's a cute story behind it.)
(Okay, I knew Wix had been around for quite some time, but I didn't expect it to be almost as old as YouTube....)
https://www.ynetnews.com/articles/0,7340,L-5461537,00.html
None of these things will ever stop the billionaire gravy train because of something called “Risk Management.” I don’t think our “vibe-coded AI slopware” is an exception.
this is israeli on israeli violence
I wonder if they fixed it manually or used Base44 to fix it
Wix was probably acquiring a growing userbase.
I do think credit is due to the founder, because he was able to single handedly build and market a valuable solution. That said, he also pushed code every day without code reviews. This is how you get technical debt and security vulnerabilities so fast.
The scary and exciting thing is it's still possible today with other needs.