← Back

The Vibe-Coding Epidemic: When Reddit Projects Are Security Nightmares

· Nikita Nosov

The other day I was bored, scrolling through Reddit looking for project ideas. I browsed subreddits about SaaS, new projects, technologies, and similar topics. Naturally, there are tons of people sharing their projects, ideas, and products there.

The pattern is simple: people write about their idea or a problem they solved by building a product, describe the main features, and leave a link for testing.

I checked out a few projects — some were genuinely interesting and potentially useful. But my curious mind couldn’t leave things alone, so I opened DevTools.

What I Found Was Terrifying

I started examining network requests and response structures. To my great surprise, almost all the sites I tested had similar HORRIBLE vulnerabilities.

Free Premium Subscriptions

On multiple projects, I was able to grant myself a PRO plan worth $20/month through a simple PATCH request to my subscription object without any payment or verification.

PATCH /profiles?id=eq.{user_id}
Content-Type: application/json

{"subscription_tier": "premium", "lifetime_access": true}

Response: HTTP 204 No Content

And just like that, I had premium access forever for free.

Full Database Exposure

I could view accounts and personal data of all other users, see the entire database structure, and even delete any data I wanted.

In one project, I accessed 365 user profiles with emails, subscription statuses, and internal IDs in just seconds.

{
  "id": "user-uuid-here",
  "email": "real.user@email.com",
  "subscription_tier": "free",
  "stripe_customer_id": "cus_...",
  "created_at": "2025-01-15T..."
}

All 365 rows were visible and modifiable.

Leaked API Keys

Authors were constantly leaking their internal API secrets. I obtained access to Gemini API keys and Groq API keys from two authors just because their network requests included the api_key parameter in plain text.

# Found in browser network tab
Authorization: Bearer gsk_DZfPZTzpGQqDxFTLfJjH...

This is just mind-blowing, and someone’s AI bill is about to get interesting.

The Pattern

So what did all these vulnerable sites have in common?

Their backend was built on Supabase, and the frontend was generated by Lovable or similar AI tools. I assume Lovable provides an out-of-the-box template with React frontend, Supabase backend, and Stripe as a payment system.

My hypothesis is that authors either misconfigure Supabase or leave the default configuration where any authenticated user can read and write to the database, completely ignoring Row Level Security.

The scariest part is that these people are actually charging money for their services while not caring about basic security testing.

The Vibe-Coding Epidemic

The vibe-coding epidemic has flooded the programming and SaaS world so thoroughly that sites are completely vulnerable and full of holes.

When you can:

  • ✅ Grant yourself premium for free
  • ✅ View all user data
  • ✅ Delete anything
  • ✅ Use someone else’s API quota

…the product isn’t really a product. It’s a liability.

Vibe Planning vs Vibe Coding

The difference between vibe planning and vibe coding

There's a crucial difference between these two approaches

Here’s my takeaway for developers: you still need fundamental knowledge about your product, technology, and overall computer science and cybersecurity to avoid compromising your security.

Okay, you’re letting yourself down — fine. But incompetent developers are also letting down their customers (and trust me, they exist, and there are many of them).

Developers need to use more vibe-planning than vibe-coding to create at least minimally secure and viable products.

Advice for Regular Users

For regular users, the takeaway is this: be cautious with your personal sensitive data when registering and using unfamiliar (probably vibe-coded and insecure) services.

Consider:

  • 📧 Create spare email accounts (like ProtonMail) and operate through them
  • 🔐 Don’t reuse passwords on sketchy new services
  • 💳 At least payments are managed by Stripe and are secure (probably, haha)

The barrier to creating software has never been lower, which is amazing for innovation but terrifying for security.

If you’re building something people pay for or trust with their data, please spend at least an hour trying to break it yourself by opening DevTools, sending weird requests, and trying to access other users’ data.

Because if you don’t test it, someone like me will, and I’m just curious and bored. The next person might not be so friendly.