A practical example of how the growing vibe coding wave produces superficial apps that fail the simplest of security checks.

This isn’t a new problem. For web apps, every few years a new solution promises to simplify and make web development more accessible to the layman. First was the CMS era. Then came the No-Code/Low-Code boom with many platforms advertising a way to build complete entire apps without ever touching a single line of code. Then when we realized the technology was not quite there yet and ahead of it’s time, we settled with an era defined by API Programmers focusing on using as many npm and pip packages as possible in their simple to-do list or weight-loss app. Thus, the era of vibe coding, is no different. The only new revelation is just how far removed today’s builders are from the underlying systems they’re deploying to the public. GenAI is brutally exact in fulfilling prompts, making products that look good to the unsuspecting maker, but completely disregarding safety that inexperienced non-dev makers don’t even know to look for. This last part is crucial because it *can* include safety features, but you need to tell it exactly which and where.

Stumbling upon a clearly vibe coded web app that that tracks user clicks by country, it only took a matter of minutes to flood it’s database with falsified clicks and entries.

First, open your browsers devtools console and monitor the network traffic after clicking the button on the website to see what kind of requests are being made

That’s the API keys we need right there

That’s the structure of each database entry

Well what do you know, with the information available it’s no problem fabricating some POST requests straight through the devtools console

Yes, the user_ip is just a string with no form verification. A delay of 5ms between each post request is enough for all of them to go through without being rate limited, whilst providing a sufficient number of clicks.

This is what happens when you don’t explicitly tell the AI to enable RLS in supabase.