[HN Gopher] Critical Vulnerability in AI Vibe Coding platform Ba...
___________________________________________________________________
Critical Vulnerability in AI Vibe Coding platform Base44
Author : waldopat
Score : 80 points
Date : 2025-07-30 16:12 UTC (6 hours ago)
(HTM) web link (www.wiz.io)
(TXT) w3m dump (www.wiz.io)
| steveBK123 wrote:
| I only know Base44 from the bombardment of YouTube ads for them I
| receive. Glad to hear its going well.
| steveBK123 wrote:
| Just checking back in here to note I am legitimately
| considering a Youtube sub just to make the Base44 ads go away.
| So the ads are having some impact!
| koakuma-chan wrote:
| Why not use an Adblock?
| swyx wrote:
| oh interesting. do you think that was a big part of their
| growth strategy pre acquisition or did the ads only pick up
| post acquisition?
| toddmorey wrote:
| This is so true. I've ONLY heard them mentioned from their own
| ads, never even once in the wild. Must be one hell of an ad
| budget.
| esafak wrote:
| It looks like they blew their budget on ads instead of
| engineers :)
| zamalek wrote:
| Hot on the wheels on the vibe-coded Tea breach. Things are
| looking great for vibe coding.
|
| Don't get me wrong, I have been been more hands off (though not
| completely, and very prescriptive) with an SPA side project and
| it's going great. Claude makes way better looking UIs than my dog
| ugly developer UIs. But vibing auth? That should seriously count
| as _legal_ gross negligence.
| IanCal wrote:
| Nothing here says auth was vibe coded. It's a platform _for_
| vibe coding.
| loupol wrote:
| There's also nothing saying they are not dog fooding at least
| a little bit.
| bee_rider wrote:
| I wonder to what extent the vibe coding folks are
| dogfooding. Their platforms seem too basically work in the
| sense that they spit out some kind of code, so I guess
| there must not be too much dogfooding going on.
| JohnMakin wrote:
| You don't think they dog food their own app dev? Interesting
| zamalek wrote:
| From the founder himself:
| https://www.lennysnewsletter.com/p/the-
| base44-bootstrapped-s...
| _fat_santa wrote:
| I'm not sure I would even call what happened with Tea a breach.
| They just straight up didn't have any authentication around
| those endpoints.
| belter wrote:
| "Vulnerability discovered in Google Gemini CLI, patch required"
| -
| https://www.techzine.eu/news/security/133402/vulnerability-d...
| sunaookami wrote:
| The Tea breach was not due to vibe-coding btw, the code was
| from the beginning of 2024 when vibe coding wasn't even
| possible.
| ryandrake wrote:
| Whether it's strictly Vibe Coding(tm) or traditional coding
| by an incompetent amateur, the result is the same: defective
| and vulnerable slop.
| dingnuts wrote:
| By Karpathy's definition it still isn't possible. But I've
| definitely been hearing about AI generated code being just as
| good as my code since 2022.
|
| Don't gaslight us about timelines. The boosters have been
| telling us amateurs can code and we're all worthless for
| three and a half years now.
|
| When ChatGPT was launched, they said we'd all be on the
| streets by now.
|
| What I don't understand is the gleeful receipt of that news
| by some programmers
| bluefirebrand wrote:
| > What I don't understand is the gleeful receipt of that
| news by some programmers
|
| I know there are very likely programmers that are gleeful
| about it, but I suspect that many of the gleeful voices we
| hear online are not programmers and are resentful of that
| fact
|
| I see this a lot with the type of people who are making AI
| "artwork". They often lacked the discipline to practice and
| learn to make art themselves, they seem to bear an
| underlying resentment to people who do make art. They are
| the sort of people who think making art is tied to some
| innate talent and not something that you can practice. Now
| they are gleeful about AI generators because it lets them
| create the pictures in their head without the effort of
| learning a skill, and they are celebrating that they no
| longer suffer under the tyranny of people who actually
| enjoy drawing and painting
| bluefirebrand wrote:
| Just because no one had coined the term vibe coding yet
| doesn't mean people weren't trying what would eventually be
| called vibe coding
|
| We had LLMs in 2024 that you could certainly try vibe coding
| with, but probably shouldn't have
|
| Just like we have LLMs today that you can certainly try vibe
| coding with but probably shouldn't
| jerf wrote:
| At the moment, I would call "writing secure code that can be
| put on the internet" to be a super-human task. That is, even
| our most highly skilled human beings currently can't be blindly
| trusted to accomplish it; it requires review by teams of
| experts. We already don't even trust humans, so trusting AIs
| for the forseeable future (as much as "the forseeable future"
| may be contracting on us) is not something we should be doing.
|
| And so as to avoid the reader binning this post into "oh just
| some human triumphalist AI denier", remember I just said I
| don't trust individual humans on this point either. Everyone,
| even experts at coding secure code, should be reviewed by other
| experts at this point.
|
| I suspect this is going to prove to be something that LLMs
| can't do reliably, by their architecture. It's going to be a
| next-generation AI thing, whatever that may prove to be.
| FiniteIntegral wrote:
| Agreed. Security is a task that not even a group of humans
| can perform with upmost scrutiny or perfection. 'Eternal
| vigilance is the price of liberty' and such. People want to
| move fast and break things without the backing
| infrastructure/maintenance (like... actually checking what
| the AI wrote).
| j45 wrote:
| It was only a few months old, how can technical debt and
| discoveries not be expected?
|
| Wix was probably acquiring a growing userbase.
| waldopat wrote:
| That's my take too. Perhaps $80M for free organic users was a
| steal?
|
| I do think credit is due to the founder, because he was able to
| single handedly build and market a valuable solution. That
| said, he also pushed code every day without code reviews. This
| is how you get technical debt and security vulnerabilities so
| fast.
| j45 wrote:
| For sure, shipping and iterating quickly to solve a problem
| people had vs just one's own vision and interpretation is
| really commendable.
|
| The scary and exciting thing is it's still possible today
| with other needs.
| htrp wrote:
| Wonder if Wix had any contractual reps/warranties around the
| state of the Base44 codebase.
| financetechbro wrote:
| I would expect so to some degree. Part of acquisition process
| is tech diligence usually done by a third party firm. But it's
| not the deepest review. They run some code scans and dig into
| security policies and procedures, and then create a report with
| their findings which is used for R&W, insurance, etc.
| DonHopkins wrote:
| "Vibe Diligence"
| ryandrake wrote:
| HA HA but seriously: I predict someone's going to start a
| Venture Fund where all the DD is "done by AI" with equally
| predicable results. I'm calling it now. Bookmark this
| comment.
| tracker1 wrote:
| Security analysis via AI...
| swyx wrote:
| soo Wiz found a vuln in Wix?
|
| this is israeli on israeli violence
| toddmorey wrote:
| "The vulnerability we discovered was remarkably simple to exploit
| - by providing only a non-secret app_id value to undocumented
| registration and email verification endpoints." So you could sign
| yourself up as editor / collaborator on any app once you knew the
| app's ID.
|
| Jeez, that's sloppy. My colleague in 2000 discovered you could
| browse any account on his bank's website by just changing the
| (sequential!) account IDs in the URL. In a lot of ways we've made
| great strides in security over the last 25 years... and in many
| ways, we haven't.
| subw00f wrote:
| Prepare for a whole new era of step backs when everyone is a
| "prompt engineer".
| andersa wrote:
| How nice to know they will be implementing the mandatory age
| verification systems for this new generation of the internet!
| srcport56445 wrote:
| Have we really made "progress" ? Even in 2000 I doubt people
| were allowed to walk into a bank and look at everyone's account
| details.
| dpoloncsak wrote:
| ...How long did it take a transfer to settle in the 2000s
| roozbeh18 wrote:
| 20 years ago the school class enrollment website allowed just
| that by changing account IDs in URL, we were bypassing the
| priority enrollment. I had fun adding my friends and I to
| classes we wanted.
| doawoo wrote:
| Incredible, my university class reg system had un-sanitized
| input for the class search field so if you knew the SQL you
| could find exactly how full a class was and dump the whole
| table of classes without needing to wait for your reg to
| open.
|
| And pretty sure you could insert your student ID into the
| class that way too :)
| ashton314 wrote:
| Heck you could probably just kick people out of the class
| that you didn't want to take it with.
| uponasmile wrote:
| >he vulnerability was fixed in less than 24 hours
|
| I wonder if they fixed it manually or used Base44 to fix it
| galnagli wrote:
| Happy to answer questions : )
| waldopat wrote:
| ^^^ Hey YC Fam, this is the author
| waldopat wrote:
| I've got a question! I'd say what's happening with viebcoding
| is really an acceleration of move fast and break things. Uber
| and Snapchat both had major security vulnerabilities, resulting
| in millions of user records leaked, in their hey day of the mid
| 2010s. And that was WITH whatever DevOps pipeline, code review
| or other best practices likely in place.
|
| What's unique about Tea or Base44 (or Replit founder deleting
| his codebase) is A) the disregard for security best practices
| and B) the speed at which they both grew and exposed
| vulnerabilities.
|
| So my question is, how do you see the balance of cybersecurity
| and AI as everything moves faster than ever before?
___________________________________________________________________
(page generated 2025-07-30 23:00 UTC)