Researchers found that over 5,000 web applications built with AI coding platforms like Lovable, Base44, and Replit lacked proper authentication controls. Approximately 40% of these apps exposed sensitive data.
A security analysis revealed widespread vulnerabilities in web applications generated by popular AI coding tools, raising concerns about the rapid deployment of untested code.
Researchers examined thousands of applications created using platforms that promise to let anyone build functional web apps in seconds. The study found that more than 5,000 apps had little to no authentication mechanisms in place, leaving user data and application logic exposed to unauthorized access.
Among the surveyed applications, roughly 40% exhibited active data exposure issues. These ranged from unprotected API endpoints to publicly accessible databases and exposed credential information. The vulnerabilities suggest that AI tools, while accelerating development speed, are not adequately guiding users toward security best practices.
The affected platforms—Lovable, Base44, Replit, and Netlify—have democratized web development by automating code generation. However, the security findings indicate a critical gap between ease of use and production-ready security standards.
The research highlights a growing tension in the AI development space: as tools lower barriers to entry for non-technical users, they may inadvertently enable the creation of poorly secured applications at scale. Default configurations often lack authentication, and many users may not understand the security implications of their choices.
Platform developers have been contacted about the findings. The situation underscores the need for stronger default security settings and clearer guidance on implementing authentication and data protection in AI-assisted development tools.
For organizations using these platforms, the research recommends conducting security audits of generated applications and implementing proper authentication before deploying to production.
Partnered Health, one of Australia's largest healthcare providers, has disclosed a cyber-attack affecting 21 clinics across Sydney, Melbourne, and Canberra. Personal information and medical records were compromised in the breach.
Security firm Intruder has developed an AI-powered system that automatically identifies previously unknown software vulnerabilities by combining code analysis with large language models. The tool already discovered and exploited a WordPress plugin zero-day.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.