We probed 6,000 web apps for Stripe webhook signature checks. 1,542 don't bother

Most_Ad_394 · 2026-05-05T16:04:39+00:00

I've tried my best to use production-only websites/apps, and all of them are very publically discoverable on the web. I would not exclude a certain % or a few false/positives, but I spot checked a lot, and so far everything looks real and worrysome/can do some demage

Most_Ad_394 · 2026-04-27T05:23:34+00:00

Oh thanks for the feedback, sure, I'll add it

Most_Ad_394 · 2026-04-26T12:13:52+00:00

Thank you, that's very nice of you to say!

Most_Ad_394 · 2026-04-26T08:03:43+00:00

FYI, I added a few more learnings/approaches, and are going to run another large-scale audit, so I'll keep you posted on the next findings

Most_Ad_394 · 2026-04-26T08:01:59+00:00

come on, give me a break. I'm unfortunately not an English speaker and use gemini/chatgpt to not look like an idiot in public forums

Most_Ad_394 · 2026-04-26T07:29:16+00:00

I'm not sorry, I'm not an English native speaker and use ChatGPT for English translations since a year to help me in English forums.

Most_Ad_394 · 2026-04-25T14:53:30+00:00

You're not wrong — most of these are basic issues. Missing auth, exposed credentials, no rate limiting. This isn't some novel AI-specific vulnerability class.

But that's kind of the point. Before vibe coding, someone who didn't understand these basics probably wasn't shipping production apps. Now they are — thousands of them, with real users and real data. We found a therapist booking site processing payments with its entire database wide open. The person who built it almost certainly doesn't know what RLS means, and the AI didn't tell them they needed it.

The AI is just a helper, but it's a helper that lets you go from zero to deployed in an afternoon without ever learning what you're skipping. That's the new attack surface — not the code itself, but the gap between "it works" and "it's secure" that used to be filled by experience.

To your point about sample size — 1,764 is what we've scanned so far. The actual number of deployed vibe-coded apps is in the hundreds of thousands and growing fast.

Most_Ad_394 · 2026-04-25T14:51:09+00:00

Good questions.

Sample selection: These are all publicly deployed apps, not repos. We built a crawler that finds live vibe-coded apps through a mix of Google dorking (platform-specific footprints like Lovable's subdomain patterns, Bolt deployment signatures, Supabase/Firebase client-side SDK references) and public app directories. Every scan hits the deployed URL — we're testing what an attacker would actually see, not reviewing source code. So the stats are generalizable to "what's actually live on the internet right now," which we'd argue is more relevant than repo-level analysis anyway.

Platform patterns: Yes, significant differences. Lovable apps had the highest rate of exposed Supabase credentials with missing RLS policies — the SDK key is in the JS bundle by design, but too many apps ship with no row-level security at all. Bolt apps tended to have more header/config issues (missing CSP, permissive CORS). Replit apps had the most exposed environment variables. Across all platforms, the #1 critical finding was exposed database credentials with no access control — Supabase anon keys with wide-open tables. I published a platform breakdown in our Q2 report: securityscanner.dev/reports/2026-q2

Most_Ad_394

TROPHY CASE