Vibe Coding's Hidden Tax: Why Rapid Prototypes Leak Data

Veracode's 2025 GenAI Code Security Report found that 45% of AI-generated code introduces hidden security vulnerabilities. That is not a fringe number. It is the baseline reality for every Australian small business currently shipping a "vibe coded" app.

The barrier to building software has dropped to almost nothing. Tools like Cursor, Bolt.new and Lovable generate entire applications from a description. Perth business operators are launching internal tools in days, not months. The productivity is real. The security is mostly an illusion. AI writes terrible security architecture when left unsupervised.

Stanford research has the data: developers using AI assistants are more likely to write insecure code while believing it is secure. The danger is not that the app does not work. It is that the app works perfectly while quietly leaving the front door open.

The problem with "it works"

When an AI builds a feature for you, its primary objective is to make the code compile and run based on your prompt. It wants you to succeed as quickly as possible. That goal often directly conflicts with secure engineering practice.

If a database needs to be connected, an AI might hardcode your production API keys directly into the frontend just to get the data flowing. To a non-developer, the app looks finished because the data appears on screen. To anyone browsing the network tab, your master database password is sitting there in plain text. The OWASP Top 10 has flagged broken access control and cryptographic failures as the most common web app vulnerabilities since 2021, and AI-built apps inherit these flaws by default.

We see AI tools skip authentication checks all the time. Just because the user interface hides a button does not mean the backend database refuses the request. Without specific instructions, AI models build systems where any user can manipulate data belonging to someone else. The OWASP Top 10 for LLM Applications calls this out explicitly.

This is not a hypothetical. The Office of the Australian Information Commissioner's Notifiable Data Breaches reports consistently show that compromised credentials and misconfigured access controls are among the leading causes of notifiable breaches. Many of those misconfigurations look exactly like what a vibe-coded MVP looks like on day one.

The most common AI coding flaws

When auditing vibe-coded projects for local Australian organisations, we consistently spot the same three issues:

Client-side secrets exposed. Developers embed sensitive API keys, database credentials or third-party service tokens directly into the client-facing codebase instead of using server-side environment variables. The Australian Signals Directorate's Essential Eight treats credential management as a baseline control. Tools like GitHub's secret scanning regularly catch these leaks, but only after the secret is already public.

Missing rate limits. Automated endpoints or forms that have zero protection against brute-force attacks or spam. We have seen this drive up Vercel and Supabase bills by thousands within hours of a single malicious actor noticing.

Over-privileged roles. The AI grants a database connection "admin" access rather than restricting permissions to exactly what the application needs. This violates the principle of least privilege that underpins almost every modern security framework, including the NIST Cybersecurity Framework and the ASD Information Security Manual.

How to vibe code safely

You should not stop your team from using these tools. The productivity gains are real. But you do need a separate verification layer before anything goes live.

Strictly prompt your AI agent for secure defaults. At the start of every project, instruct the system: "Never hardcode API keys. Use environment variables. Configure row-level security on every database table. Validate authorisation server-side, not in the UI." Anthropic's own Claude security guidance and Vercel's environment variables documentation cover the right patterns.

Always run an independent code audit. Before deploying an AI-generated solution to your customers or plugging it into your main business data, have an experienced engineer review the architecture. It is much cheaper to patch an authentication gap in staging than to deal with the fallout of an exposed client list. Or to land on the OAIC's quarterly breach report.

Threat-model the deployment. Stripe, AWS and Supabase all publish opinionated guidance on key management. Read it, apply it, then assume your AI agent did not.

If your team has built an internal tool using AI and you are not completely confident in its security posture, book a free vibe code audit. We will identify exactly what risks the AI left behind.