In January a developer launched a social network called Moltbook, and made a point of telling everyone he hadn't written a line of the code himself. An AI did it. Look what one person can do now!
It didn't take long for someone to find a gaping hole. A researcher at the security firm Wiz pulled up the production database: 1.5 million API tokens and 35,000 email addresses, and everything else.
Moltbook was laughed at and everyone moved on. But what has stuck is that this is now an ordinary way to build software, and the people doing it are running businesses, and they're building tools for the office. And it's just a matter of time before we see a bunch of news stories about data leaks that cause a lot more trouble.
There's a name for it now: vibe coding. You tell one of these tools (Lovable, Replit, Cursor, take your pick) what you want, it writes the code, and if it does what you asked, out it goes. You don't even read the code. You don't need to. Or so it seems...
And I get the appeal. A booking form you've been meaning to sort out since 2023, a portal so clients can grab their own files. That used to mean a developer's quote and weeks of waiting. Now it's a wet Sunday afternoon sat with a coffee. Of course people are having a go.
The thing is that "it works" and "it's secure" are two very different things. Unfortunately only one shows up while you sit there admiring your handiwork. Ask one of these tools for a client portal and it builds you a portal. People log in, they see their files, it demos beautifully. Whether it also lets one client read another's files by changing a number in the web address is not something the demo asks, or something the person who built it can answer, or ever even thought of.
This isn't just me being sulky. Veracode tested AI-written code across more than a hundred models last year and found a security flaw in it about 45% of the time. A coin toss. In May a firm called RedAccess found around 5,000 of these apps on the open internet with no real lock on the door, leaking sales spreadsheets, hospital rosters, or whatever was inside.
And then there's the bit that gets no thought at all. When a developer builds something for a client, a person stays with it. It gets patched when a hole is announced, watched when it behaves oddly, looked over before it goes near real data. A vibe-coded app has none of that. It was built by whoever had the idea, who is three ideas down the road before the app was ever used in the wild, and who never audited the code in the first place. And so it sits there online until it leaks customer data, or in your network waiting to be exploited by a hacker.
But the Privacy Act doesn't care. A breached booking form knocked together in an afternoon is the same as any other breach. A notifiable data breach, a report to the OAIC, an uncomfortable email to everyone affected. We've written before about how the days after a leak tend to go. They are not good days.
To be fair, the Australian Cyber Security Centre has put out guidance on these tools, and it isn't telling anyone to stop. Its line is that vibe coding should make building software quicker, but not make testing and debugging irrelevant. Yet already it's clear that's exactly what is happening.
So where's the line? For a rough prototype, or a spreadsheet replacement that never goes near the internet or a customer's details, vibe coding is genuinely useful. But the moment something holds real customer or business data, or anyone outside the office can reach it, a person who can read and understand code needs to check the dull, important things first. Like what data is exposed, who has permission to access it, and how to prevent bad actors from finding their way in.
That is ordinary work for us, and not usually a big job. Security is a process rather than something you finish, as we've said before, and a vibe-coded app is one more thing on the network that needs the same patching, monitoring and occasional penetration test as everything else. That it was written by an AI changes none of that, and actually makes it even more important.
We've been looking after Sydney businesses for over 20 years. Is there something running on your network that you can't quite remember commissioning? Vibe coded some business tools and need to make sure they're not giving away your bank account details? Get in touch and we'll take a look. No sales pitch, just a straight conversation.
Call Now 