Insights

What Hackers Look for in Vibe Coded Apps

December 2025Security Stories
Share

TL;DR

Attackers know AI-generated apps have predictable vulnerabilities. They look for exposed API keys in JavaScript bundles, unprotected admin routes at common paths, missing rate limits on AI endpoints, and IDOR vulnerabilities in APIs. Understanding these targeting patterns helps you defend against them.

If you want to defend your vibe coded app, it helps to understand how attackers think. This isn't about teaching hacking. It's about understanding the attack surface so you can protect it.

The Attacker's First Steps

When targeting a web application, attackers typically start with reconnaissance. For AI-generated apps, they have some predictable starting points:

1. JavaScript Bundle Analysis

The first thing many attackers do is inspect your JavaScript. They're looking for:

// Things attackers search for in your JS:
"OPENAI_API_KEY"
"sk-"           // OpenAI key prefix
"pk_live_"      // Stripe publishable key
"sk_live_"      // Stripe secret key (really bad)
"supabase"      // Supabase URLs and anon keys
"/api/"         // API endpoint patterns
"admin"         // Admin-related routes
"firebase"      // Firebase config
"NEXT_PUBLIC_"  // Environment variable patterns

Finding an API key in client-side code is like finding an unlocked door. The attacker will immediately test what access it provides.

2. Common Path Scanning

Attackers run automated scans against common paths:

/admin
/api/admin
/dashboard
/internal
/debug
/.env
/api-docs
/swagger
/graphql
/config
/.git

Vibe coded apps often have these routes created with default configurations, sometimes without proper protection.

3. Technology Fingerprinting

Attackers identify your tech stack to know which vulnerabilities to try:

  • Next.js apps have predictable API route patterns
  • Supabase apps often have exposed database URLs
  • Firebase apps may have misconfigured security rules
  • Vercel deployments have known URL patterns

High-Value Targets in Vibe Coded Apps

  • AI endpoints (costly to abuse via your key)
  • Payment processing (credit card testing)
  • User databases (data theft or ransom)
  • Admin functions (full system compromise)
  • File upload endpoints (malware hosting)

The Most Exploited Vulnerabilities

Exposed API Keys

An OpenAI key in your frontend can cost you thousands in hours. An AWS key can compromise your entire infrastructure. Attackers have automated tools that scan GitHub and deployed sites for these patterns.

IDOR (Insecure Direct Object References)

If your API uses predictable IDs like /api/users/123, attackers will try /api/users/124 and see if they can access other users' data. AI-generated code rarely includes proper authorization checks.

Missing Rate Limiting

Without rate limiting, attackers can:

  • Brute force passwords
  • Enumerate user accounts
  • Abuse expensive AI features
  • Crash your server with request floods

SQL/NoSQL Injection

AI often generates code that doesn't properly sanitize user input. Attackers test every input field for injection vulnerabilities.

How to Defend

Understanding attacker methodology helps you prioritize defenses:

Defense Priorities
  • Remove API keys from client code - Use environment variables and server-side proxies
  • Protect admin routes - Auth + non-guessable paths + IP restrictions
  • Add rate limiting everywhere - Especially auth and AI endpoints
  • Implement proper authorization - Check user permissions on every request
  • Validate all input - Never trust data from the client
  • Monitor for unusual patterns - Set up alerts for anomalies

The Good News

Most attackers go for easy targets. If your app has basic protections, they'll move on to the thousands of apps that don't. You don't need perfect security. You need security better than the average vibe coded app, which honestly isn't a high bar.

How do attackers find my app in the first place?

Through search engines (Google dorking), scanning IP ranges, monitoring GitHub for new deployments, or finding you through shared hosting platforms. If your app is on the internet, assume it will be scanned.

::

Do small apps get targeted?

Yes. Automated attacks don't care about your user count. They scan everything looking for vulnerabilities. A small app with an exposed API key is just as valuable to an attacker as a large one.

Should I hire a penetration tester?

For production apps with real users or revenue, yes. But first, fix the obvious issues with automated scanning. Don't pay someone to tell you your API key is exposed in the frontend.

::

Related Articles

Scan your vibe coded projects for the vulnerabilities attackers look for first.

Check Your Vibe Now
Security Stories

What Hackers Look for in Vibe Coded Apps