What Happens When Your Vibe-Coded App Gets Hacked: Real Attack Scenarios - VibeDoctor 
← All Articles 🚀 Deployment & Infrastructure Critical

What Happens When Your Vibe-Coded App Gets Hacked: Real Attack Scenarios

A walkthrough of real attack scenarios against AI-generated apps: from finding exposed keys to full database access in under 10 minutes.

SEC-002 SEC-006 SEC-014 SEC-001

Quick Answer

A typical AI-generated app can go from "looks fine" to "fully compromised" in under 10 minutes. The attack chain usually starts with finding an exposed API key in the JavaScript bundle, using it to access the database, then exfiltrating all user data. This is not theoretical - these are the exact steps attackers take against vibe-coded apps every day.

Scenario 1: The Supabase Service Key in the Bundle

A founder built a SaaS app with Lovable using Supabase for auth and database. The app was deployed on Vercel, users were signing up, and everything looked professional. Then a 14-year-old found the Supabase service role key in the JavaScript bundle.

Step 1: The attacker opens the deployed site in Chrome, opens DevTools > Sources, and searches for "supabase." They find NEXT_PUBLIC_SUPABASE_SERVICE_KEY in the webpack bundle.

Step 2: The service role key bypasses Row Level Security. Using the Supabase REST API directly: curl -H "apikey: [stolen-service-key]" -H "Authorization: Bearer [stolen-service-key]" "https://abc.supabase.co/rest/v1/users?select=*"

Step 3: Full database dump. Every user's email, hashed password, profile data, and billing information. Total time: 4 minutes.

According to the IBM 2024 Cost of a Data Breach Report, the average cost of a data breach is $4.88 million. For a solo founder, the GDPR fine alone can be up to 4% of annual revenue or 20 million euros, whichever is higher.

Scenario 2: SQL Injection via the Search Bar

A developer built an e-commerce dashboard with Cursor. The search feature used a raw SQL query with string interpolation - a pattern Cursor generates by default.

// The vulnerable code Cursor generated
app.get('/api/products/search', async (req, res) => {
  const { q } = req.query;
  const results = await db.query(
    `SELECT * FROM products WHERE name LIKE '%${q}%'`
  );
  res.json(results);
});

Attack: The attacker enters this in the search bar: ' UNION SELECT email, password_hash, null, null FROM users --

The query becomes: SELECT * FROM products WHERE name LIKE '%' UNION SELECT email, password_hash, null, null FROM users --%'

Result: The product search returns every user's email and password hash instead of products. The attacker can now crack the hashes offline, or use the credentials directly if passwords were stored in plaintext (another common AI code pattern). The OWASP Foundation has ranked injection attacks as the #1 web application vulnerability for over a decade.

Scenario 3: The Unprotected Admin API

A Bolt.new app had a clean user interface with role-based access. Admins saw extra buttons, regular users saw their own data only. But the API routes behind those buttons had no authentication checks.

Attack: The attacker opens DevTools > Network tab, watches what API calls the admin buttons make. Then calls those endpoints directly:

# Found by watching network requests
curl https://app.example.com/api/admin/users        # Returns all users
curl -X DELETE https://app.example.com/api/admin/users/123  # Deletes user 123
curl https://app.example.com/api/admin/export-data   # Full data export

No token required. No auth check. The frontend hid the buttons, but the API was wide open. Total time to discover: 2 minutes with a browser's DevTools.

Scenario 4: The Hardcoded Stripe Key

An AI-generated app had the Stripe secret key (sk_live_) in the source code. The attacker used it to:

  1. List all customers and their payment methods
  2. Issue refunds to their own account
  3. Create charges on existing payment methods
  4. Access dispute and billing data

Stripe's API with a secret key gives complete control over the merchant's payment processing. According to the Verizon 2024 DBIR, financial motives drive 95% of breaches. A stolen Stripe key is the most directly monetizable credential an attacker can find.

Why These Attacks Work Every Time

Vulnerability AI Tool Frequency Exploit Difficulty Impact
Exposed API keys in bundle Very common Trivial (view source) Full data access
SQL injection Common Easy (search bar input) Database compromise
Unprotected API routes Very common Trivial (curl) Admin access
Hardcoded payment keys Common Trivial (view source) Financial loss
Missing RLS on Supabase Very common Easy (API call with auth token) Cross-user data access

How to Prevent These Scenarios

Every scenario above is preventable with automated scanning. The attacks exploit common, well-known vulnerability patterns that have well-known fixes: parameterized queries, server-side auth middleware, environment variables for secrets, and database access policies.

Tools like VibeDoctor (vibedoctor.io) automatically scan your codebase for all of these patterns - exposed secrets, SQL injection, missing auth, and insecure configurations - and flag specific file paths and line numbers. Free to sign up. Run a scan before your next deployment, not after your first breach.

FAQ

How quickly do attackers find vulnerable apps?

Automated bots continuously scan the internet for common vulnerability patterns. Exposed API keys on public GitHub repos are found within minutes - GitGuardian reports that they detect exposed secrets within 4 seconds of being pushed. Deployed apps with common vulnerabilities are found through search engine dorking and automated scanning tools within hours of deployment.

What should I do if my app has already been compromised?

Immediately rotate all exposed credentials (API keys, database passwords, JWT secrets). Check access logs for unauthorized activity. Notify affected users if personal data was accessed (legally required under GDPR within 72 hours). Take the vulnerable endpoints offline while you fix them. Document what happened for incident response records.

Do small apps get targeted?

Yes. Automated scanners do not distinguish between apps with 10 users and apps with 10 million users. Bots scan every publicly accessible URL for common vulnerabilities. Small apps are actually more attractive targets because they are less likely to have monitoring, incident response, or the resources to pursue legal action.

Can I rely on Vercel/Supabase security instead of fixing my code?

No. Vercel and Supabase provide secure infrastructure, but they cannot protect against vulnerabilities in your application code. Vercel does not know if your NEXT_PUBLIC_ variables contain secrets. Supabase cannot enforce RLS policies you did not write. Infrastructure security and application security are separate layers - you need both.

Scan your codebase for this issue - free

VibeDoctor checks for SEC-002, SEC-006, SEC-014, SEC-001 and 128 other issues across 15 diagnostic areas.

SCAN MY APP →
← Back to all articles View all 129+ checks →

Related articles

🚀 Deployment & Infrastructure Vercel Environment Variables: What Is Actually Safe to Expose and What Is Not Critical 🚀 Deployment & Infrastructure GitHub Actions in Vibe-Coded Projects: Secrets Leaking in Workflow Logs Critical 🔒 Security Vulnerabilities Hardcoded API Keys in Bolt, Lovable & Cursor: How to Find and Remove Them Critical 🌐 Live Website Analysis Page Weight Budget: Why Your Vibe-Coded App Takes 8 Seconds to Load High