Sign in Subscribe

Vibe Coding's Hidden Cost: Security Holes, Technical Debt, and the Developer Shortage No One's Talking About

Over 5,000 vibe-coded apps are leaking sensitive data right now. The tools that promised to democratise software may be quietly breaking it. Who picks up the bill?
Vibe Coding's Hidden Cost: Security Holes, Technical Debt, and the Developer Shortage No One's Talking About
Photo by Bharath Kumar / Unsplash

Artificial intelligence has made it easier for everyone to write code – even those of us who can't code. The phenomenon has been given the term vibe coding, though some would rather we gave it a different name.

Anthropic, which has kicked off the process for a stock market listing, has Claude Code. OpenAI has Codex. And beyond those, there's a wide selection of other tools you can use: Cursor, Lovable, Replit, and Netlify. Even Norway has its own players in this space. Riff is an exciting Oslo-based company working to make it easier for businesses to build AI applications and agents. I've been following them for a while – back when they were called Databutton – and it's genuinely cool that companies like this are emerging in Norway too.

But while vibe coding has thrown open the door for all of us to build an app, a website, or a piece of code to drop into our own site (like the little widget you can see in the bottom left right now), access to private data is wide open.

Found a ton of data

The company RedAccess has reviewed and analysed several thousand vibe-coded apps and websites. Over 5,000 sites had neither security mechanisms nor any way to authenticate users. RedAccess looked at code written through the platforms I mentioned above.

This is one of the biggest events ever where people are exposing corporate or other sensitive information to anyone in the world. – Dor Zvi, founder and security analyst at RedAccess, speaking to WIRED.
Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web
Companies like Lovable, Base44, Replit, and Netlify use AI to let anyone build a web app in seconds—and in thousands of cases, spill highly sensitive data onto the public internet.
WIREDAndy Greenberg

Meanwhile, the Wall Street Journal has interviewed two of the minds behind OpenClaw – the AI agent that took the world by storm earlier this year. Mario Zechner and Armin Ronacher believe that artificial intelligence – which in several cases has already begun replacing software developers – is now flooding the internet with weak and potentially harmful code.

"You have infrastructure that’s falling apart, and you have software that’s now very, very buggy compared to before" – Zechner to the Wall Street Journal.

It's interesting to hear this from two people who have themselves been at the absolute cutting edge of AI agent development. The fact that they're looking with concern at how early-stage, growth-phase, and established companies are racking up technical debt and leaving security holes exposed should be a warning to a lot of people.

No response

When RedAccess reached out to the companies and presented their findings, getting a reply wasn't exactly straightforward. Which is somewhat ironic, given that these are companies claiming their platforms can build and scale businesses in the blink of an eye. Twenty-four hours, apparently, wasn't enough time to review RedAccess's findings and put together a response.

On X, Amjad Masad – CEO of Replit – grumbled about the short deadline. In the comments, Anton Osika agreed. He founded Lovable and serves as its CEO.

I've had my fair share of experience having to respond to press enquiries – twenty-four hours is not unusual.

During Google I/O, the event where Google launches new products and lays out its plans for the future, Google CEO Sundar Pichai wrote a short piece about Google's agentic AI models. Seventy-five per cent of all new code is AI-generated. It is then approved by a human before being rolled out.

Better at new code

According to Mario Zechner, artificial intelligence is better at writing new code than it is at reviewing and improving what's already there. And that's precisely what's causing headaches for early-stage companies. On one hand, small companies can quickly launch new products and services. But as the company grows and the services become more complex, the AI agents start to struggle with code that's become increasingly sprawling.

Earlier this spring, software companies got a proper cold shower on the stock market. Software-as-a-Service companies (SaaS) seemed to be losing their edge in the face of Anthropic and OpenAI, who were rolling out new software almost daily. But then the tide turned, and the SaaSocalypse never came. The iShares Expanded Tech Software ETF – a fund made up of software companies – rose 13 per cent in a single week. And since 10 April, it's up 40 per cent.

The SaaSpocalypse is over as software stocks stage a huge AI rebound
A torrid rally off multiyear lows has shown that investors are ready to view AI as additive for software stocks.
Business InsiderJoe Ciolli

They're not ditching the software

Right, enough stock market chat. But it does underline an important point that Zechner and Ronacher are making. Artificial intelligence can't yet outcompete large, solid software companies. Back in March, when the SaaSocalypse was at its worst, FedEx CTO Vishal Talwar spoke to the Wall Street Journal.

He made clear they had no interest in getting rid of their software vendors. Instead, the WSJ found a pattern: several large companies were using AI to build their own apps, or to make small customisations.

Which makes sense. Companies like Workday and Salesforce require a lot of maintenance. If a company builds its own HR platform, the savings from ditching Workday will be swallowed up – and then some – by the cost of maintaining it. The CIO of audit firm Grant Thornton put it this way:

I’d much rather spend our internal dollars and effort building something that is truly cutting-edge and helps us grow"– Mike Kemp to the WSJ.

The bill will be due

Using AI to write code can become a genuinely great tool. It lets me show, rather than explain, what feature or tweak I'd want in my daily work. And frankly, it's fun – watching things get built on the screen in front of you, in a language you absolutely do not understand.

But I do think quite a few companies now charging into an aggressive growth phase will be in for a rude awakening. Newly qualified software developers can't get jobs. The belief that AI can do the work faster, cheaper, and better has taken hold in the market.

When the job opportunities aren't there, the expertise will dry up. No one will train as a developer if there's no prospect of being hired. And so the problems pile up: code that worked before no longer has the robustness it needs. Security holes expose business data, and eventually there aren't enough people left who actually know what they're doing.

A company weighed down by technical debt moves slowly – wading through treacle. Customers won't tie themselves to businesses that are haemorrhaging data.

At that point, there's only one thing to do.

Hire a human. And that's going to be a costly, drawn-out clean-up job.