Most active commenters

    ←back to thread

    Critical vulnerability in AI coding platform Base44 allowing unauthorized access

    (www.wiz.io)
    122 points waldopat | 23 comments | 30 Jul 25 16:12 UTC | HN request time: 0.401s | source | bottom
    1. zamalek ◴[30 Jul 25 17:09 UTC] No.44736778[source]
    Hot on the wheels on the vibe-coded Tea breach. Things are looking great for vibe coding.

    Don't get me wrong, I have been been more hands off (though not completely, and very prescriptive) with an SPA side project and it's going great. Claude makes way better looking UIs than my dog ugly developer UIs. But vibing auth? That should seriously count as _legal_ gross negligence.

    replies(5): >>44736996 #>>44737543 #>>44737655 #>>44738035 #>>44738150 #
    2. IanCal ◴[30 Jul 25 17:23 UTC] No.44736996[source]
    Nothing here says auth was vibe coded. It’s a platform for vibe coding.
    replies(3): >>44737432 #>>44737436 #>>44737727 #
    3. loupol ◴[30 Jul 25 17:57 UTC] No.44737432[source]
    There's also nothing saying they are not dog fooding at least a little bit.
    replies(2): >>44739344 #>>44743278 #
    4. JohnMakin ◴[30 Jul 25 17:57 UTC] No.44737436[source]
    You don’t think they dog food their own app dev? Interesting
    replies(1): >>44741400 #
    5. _fat_santa ◴[30 Jul 25 18:05 UTC] No.44737543[source]
    I'm not sure I would even call what happened with Tea a breach. They just straight up didn't have any authentication around those endpoints.
    6. belter ◴[30 Jul 25 18:14 UTC] No.44737655[source]
    "Vulnerability discovered in Google Gemini CLI, patch required" - https://www.techzine.eu/news/security/133402/vulnerability-d...
    7. zamalek ◴[30 Jul 25 18:19 UTC] No.44737727[source]
    From the founder himself: https://www.lennysnewsletter.com/p/the-base44-bootstrapped-s...
    8. sunaookami ◴[30 Jul 25 18:45 UTC] No.44738035[source]
    The Tea breach was not due to vibe-coding btw, the code was from the beginning of 2024 when vibe coding wasn't even possible.
    replies(4): >>44739256 #>>44740066 #>>44740077 #>>44741548 #
    9. jerf ◴[30 Jul 25 18:54 UTC] No.44738150[source]
    At the moment, I would call "writing secure code that can be put on the internet" to be a super-human task. That is, even our most highly skilled human beings currently can't be blindly trusted to accomplish it; it requires review by teams of experts. We already don't even trust humans, so trusting AIs for the forseeable future (as much as "the forseeable future" may be contracting on us) is not something we should be doing.

    And so as to avoid the reader binning this post into "oh just some human triumphalist AI denier", remember I just said I don't trust individual humans on this point either. Everyone, even experts at coding secure code, should be reviewed by other experts at this point.

    I suspect this is going to prove to be something that LLMs can't do reliably, by their architecture. It's going to be a next-generation AI thing, whatever that may prove to be.

    replies(1): >>44738863 #
    10. FiniteIntegral ◴[30 Jul 25 20:00 UTC] No.44738863[source]
    Agreed. Security is a task that not even a group of humans can perform with upmost scrutiny or perfection. 'Eternal vigilance is the price of liberty' and such. People want to move fast and break things without the backing infrastructure/maintenance (like... actually checking what the AI wrote).
    replies(1): >>44743493 #
    11. ryandrake ◴[30 Jul 25 20:41 UTC] No.44739256[source]
    Whether it's strictly Vibe Coding™ or traditional coding by an incompetent amateur, the result is the same: defective and vulnerable slop.
    replies(1): >>44740878 #
    12. bee_rider ◴[30 Jul 25 20:49 UTC] No.44739344{3}[source]
    I wonder to what extent the vibe coding folks are dogfooding. Their platforms seem too basically work in the sense that they spit out some kind of code, so I guess there must not be too much dogfooding going on.
    13. dingnuts ◴[30 Jul 25 22:07 UTC] No.44740066[source]
    By Karpathy's definition it still isn't possible. But I've definitely been hearing about AI generated code being just as good as my code since 2022.

    Don't gaslight us about timelines. The boosters have been telling us amateurs can code and we're all worthless for three and a half years now.

    When ChatGPT was launched, they said we'd all be on the streets by now.

    What I don't understand is the gleeful receipt of that news by some programmers

    replies(2): >>44740135 #>>44740926 #
    14. bluefirebrand ◴[30 Jul 25 22:08 UTC] No.44740077[source]
    Just because no one had coined the term vibe coding yet doesn't mean people weren't trying what would eventually be called vibe coding

    We had LLMs in 2024 that you could certainly try vibe coding with, but probably shouldn't have

    Just like we have LLMs today that you can certainly try vibe coding with but probably shouldn't

    replies(1): >>44741520 #
    15. bluefirebrand ◴[30 Jul 25 22:15 UTC] No.44740135{3}[source]
    > What I don't understand is the gleeful receipt of that news by some programmers

    I know there are very likely programmers that are gleeful about it, but I suspect that many of the gleeful voices we hear online are not programmers and are resentful of that fact

    I see this a lot with the type of people who are making AI "artwork". They often lacked the discipline to practice and learn to make art themselves, they seem to bear an underlying resentment to people who do make art. They are the sort of people who think making art is tied to some innate talent and not something that you can practice. Now they are gleeful about AI generators because it lets them create the pictures in their head without the effort of learning a skill, and they are celebrating that they no longer suffer under the tyranny of people who actually enjoy drawing and painting

    16. Sherveen ◴[30 Jul 25 23:48 UTC] No.44740878{3}[source]
    Oh great, let's just say terms whenever, as long as they are adjacent in meaning to whatever we really mean. SMART!
    17. janalsncm ◴[30 Jul 25 23:54 UTC] No.44740926{3}[source]
    Pretty much. We are almost four years into “LLMs will make SWEs obsolete in 6 months” now. Turns out, most tools that let amateurs write bad code let pros write better code.
    18. zahlman ◴[31 Jul 25 01:15 UTC] No.44741400{3}[source]
    Dogfooding doesn't normally produce artifacts that end up in production, surely?
    19. cwmoore ◴[31 Jul 25 01:38 UTC] No.44741520{3}[source]
    Wasn’t that default public-accessible Firebase?
    replies(1): >>44742234 #
    20. QuadmasterXLII ◴[31 Jul 25 01:46 UTC] No.44741548[source]
    Vibe coding started working in summer 2023, see e.g. https://github.com/HastingsGreer/jstreb/blob/1ccedf82ec463dc...

    the spectacular overcommenting has been here the whole time

    Progress since then has mostly been people and tools catching up to the models, the limit of what the models can code has been pretty stagnant the last couple years

    21. sunaookami ◴[31 Jul 25 04:11 UTC] No.44742234{4}[source]
    Yes which is why the other comments don't make any sense because everyone just reads headlines.
    22. IanCal ◴[31 Jul 25 07:26 UTC] No.44743278{3}[source]
    There’s nothing saying they didn’t do this deliberately, but it’d still be an unsubstantiated accusation to say that’s why there was a problem with auth.
    23. runlaszlorun ◴[31 Jul 25 08:12 UTC] No.44743493{3}[source]
    Ah yes... Move face and break things. Well Facebook didn't overpromise on that one...