Insights & Updates

Security research, breach analysis, and engineering deep-dives.

SecurityMar 29, 202613 min read

IDOR: The Vulnerability AI Can't See

AI generates CRUD endpoints that work perfectly — but don't check if the requesting user actually owns the resource. Here's how IDOR vulnerabilities slip into AI-generated code, how attackers exploit them, and how to fix every one.

Read article

Case StudyMar 29, 2026

The Moltbook Breach: 1.5 Million API Tokens Exposed Because RLS Was Off

How an AI agent social network built with vibe coding left its entire Supabase database wide open. A deep technical breakdown of the breach, what went wrong, and what every builder can learn from it.

SecurityMar 29, 2026

The OWASP Top 10 Through the Lens of AI-Generated Code

The OWASP Top 10 isn't just for security teams. Your AI coding tool just generated code that touches most of these categories. Here's what each one looks like in a vibe-coded app.

SecurityMar 29, 2026

SQL Injection Is Not Dead: How It Shows Up in AI-Generated Code

SQL injection was discovered in 1998 and should be a solved problem. But AI coding tools are bringing it back — generating string concatenation, raw queries, and dynamic column names that open the door to attacks. Here's how to spot it and fix it.

SecurityMar 29, 2026

Your .env Is Showing: Environment Variable Exposure in Vibe-Coded Apps

AI coding tools make shipping fast, but they also make leaking secrets easy. Here's how environment variables end up in your client-side bundle, how to audit your app in five minutes, and how to fix it before someone else finds your keys.

GuidesMar 28, 2026

How to Secure Your Lovable App Before You Launch

A step-by-step security guide for apps built with Lovable. Fix the most common vulnerabilities in under an hour — no security expertise required.

Case StudyMar 28, 2026

The Lovable RLS Vulnerability: How One AI Platform Shipped the Same Security Flaw Across 170+ Apps

CVE-2025-48757 exposed a systematic Row Level Security failure in Lovable, one of the most popular vibe coding platforms. 170+ apps. 303 vulnerable endpoints. A 1.8/10 security score. Here's what happened, why it matters, and what every builder should do about it.

SecurityMar 28, 2026

What Happens When a Vibe-Coded App Gets Hacked: A Step-by-Step Breakdown

A realistic walkthrough of how an attacker finds, probes, and exploits a typical app built with AI coding tools. From Google dorking to data exfiltration, here's exactly what happens — and what you can do about each step.

EngineeringMar 28, 2026

Why We Use LLMs for Security Testing (And What They Actually Catch)

Traditional scanners match patterns. LLM-powered scanners read your app like a human would. Here's a side-by-side comparison of what each one finds — and misses — on the same endpoint.

ProductMar 27, 2026

Introducing Flowpatrol: You Shipped It. Now Make Sure It's Solid.

You built an app in a weekend. Flowpatrol is the five-minute scan that tells you if it's ready for the real world. Here's what it finds and how it works.

SecurityMar 27, 2026

Supabase RLS: The Security Feature Your AI Forgot to Enable

Row Level Security is the difference between a secure Supabase app and a public database. Here's how RLS works, why AI tools skip it, and how to set it up in 15 minutes.

SecurityMar 27, 2026

Top 10 Security Vulnerabilities in Vibe-Coded Applications

A ranked list of the most common security issues we find in apps built with AI coding tools, with real examples and concrete fixes for each one.