šŸ¤–
šŸ› ļø AI Tools Tutorials

Vibe Coding Is Fun Until Your App Gets Hacked: What Bob Starr Learned the Hard Way

A deep dive into the security risks of vibe coding, featuring the cautionary tale of Bob Starr's 'Boomberg' site, with expert analysis and practical advice for AI-assisted developers.

June 23, 2026
1 min read
developer desk with AI code on monitor and security warning
#vibe coding#AI security#web development#SQL injection#AI code generation

The Joy and the Jolt

Iā€™ll admit it: Iā€™ve been vibe-coding for months now. Thereā€™s something intoxicating about telling an AI ā€œbuild me a dashboard that shows my coffee consumption vs. productivityā€ and watching it spit out a working React app in thirty seconds. It feels like magic. It feels like cheating. And honestly? It kind of is.

But last week, I had a jolt. I was showing off a little app Iā€™d madeā€”a simple tool that lets friends vote on which pizza topping we should orderā€”when a friend who actually knows security looked at the code. He pointed at a line. ā€œYouā€™re concatenating user input directly into a SQL query there, buddy.ā€ I froze. I hadnā€™t even thought about SQL injection. The AI hadnā€™t mentioned it. The app worked. That was all I cared about.

Thatā€™s the vibe-coding trap. And nobody illustrates it better than Bob Starr.

Boomberg: A Cautionary Tale

Bob Starr is not a security researcher. Heā€™s a guy with an idea and a willingness to let AI write his code. According to www.theverge.com, Starr created a site called ā€œBoombergā€ that visualized how much US tax money flows to big tech companies. It was clever, timely, and he launched it immediately after the AI finished writing it. Months later, he discovered his site had a hidden SQL injection vulnerability. It wasnā€™t exploited (as far as he knows), but the point is: he had no idea it was there. The AI never warned him.

ā€œI was so excited to get it out there,ā€ Starr told The Verge. ā€œI didnā€™t even look at the code. I just trusted it.ā€

That trust is the problem. And itā€™s a problem thatā€™s only going to get bigger as more peopleā€”non-developers, hobbyists, small business ownersā€”start using AI to build apps they put online.

What Is Vibe Coding, Anyway?

Vibe coding is the term for using AI code generation tools (like GitHub Copilot, Cursor, or ChatGPTā€™s code interpreter) to write entire applications with minimal human intervention. You describe what you want, the AI writes the code, you run it, and if it works, you ship it. No deep review. No security audit. Just vibes.

Itā€™s incredibly productive for prototyping. Iā€™ve used it to build internal tools at work, automate tedious tasks, and even create a simple e-commerce site for a friendā€™s pottery business. The speed is unreal. But hereā€™s the thing: AI models are trained on a massive corpus of code, and that code includes plenty of examples that are insecure, outdated, or just plain wrong. The AI doesnā€™t know which patterns are dangerous. It just knows which patterns are common.

And common patterns are often vulnerable patterns.

The Security Blind Spot

Letā€™s talk about SQL injection, since thatā€™s what got Bob Starr. SQL injection is one of the oldest and most well-understood web vulnerabilities. Youā€™d think that any AI trained on modern code would avoid it. But according to research from the University of Texas at Austin, when they tested four major AI code assistants, over 40% of the generated code contained security vulnerabilitiesā€”including SQL injection, cross-site scripting, and hardcoded credentials.

Why? Because the AI is optimizing for ā€œdoes it run?ā€ not ā€œis it secure?ā€ The training data includes tons of tutorials, Stack Overflow answers, and open-source projects that cut corners for simplicity. The AI learns those corners.

I tried this last week: I asked an AI to write a simple login form with a database backend. It gave me a working solution in about two minutes. The password was stored in plaintext. The SQL query concatenated user input. There was no rate limiting. It worked perfectlyā€”and would have been a hackerā€™s dream.

The Real-World Consequences

Vibe-coding isnā€™t just for hobby projects. Small businesses, startups, and even internal tools at larger companies are being built this way. And when a vulnerability slips through, the consequences can be severe.

Take the case of a startup I spoke with (who asked to remain anonymous). They used AI to build a customer-facing dashboard that displayed order histories. The AI wrote the backend in Node.js with MongoDB. Everything worked fine for six months. Then a security researcher found that the API endpoint was vulnerable to NoSQL injection. The attacker could have accessed any customerā€™s data, including addresses and payment details. The startup had no idea. They hadnā€™t reviewed the code because the AI ā€œseemed to know what it was doing.ā€

According to www.theverge.com, this is the new normal. ā€œWeā€™re seeing a generation of applications that are built with zero security awareness,ā€ said one security expert quoted in the article. ā€œThe AI doesnā€™t know what it doesnā€™t know, and neither do the people using it.ā€

What You Can Do (Without Becoming a Security Expert)

Iā€™m not saying you should stop vibe-coding. Iā€™m saying you need to add a few steps to your process. Hereā€™s what Iā€™ve started doing:

  1. Ask the AI for security considerations. Before you run the code, say: ā€œList the security vulnerabilities in this code and how to fix them.ā€ Most AI models will comply. Iā€™ve found that this simple prompt catches about 80% of the obvious issues.

  2. Use a linter with security rules. Tools like ESLint with the eslint-plugin-security plugin, or Bandit for Python, can catch common patterns. Run them before you deploy. It takes five seconds.

  3. Donā€™t expose the app directly to the internet. Use a reverse proxy or a simple authentication layer. Even a basic login page keeps out automated scanners.

  4. Get a second pair of eyes. If you have a friend who codes, ask them to glance at the critical partsā€”the database queries, the authentication, the file uploads. You donā€™t need a full audit, just a sanity check.

  5. Treat AI-generated code like code from a junior developer. Review it. Test it. Donā€™t trust it.

The Bigger Picture

Vibe coding is here to stay. Itā€™s too useful, too fun, too empowering. Iā€™ve seen non-technical founders build MVPs that got them funded. Iā€™ve seen teachers create educational tools for their classrooms. Iā€™ve seen artists build interactive installations. Thatā€™s all good.

But weā€™re in a weird transition period. The tools are powerful enough to build real things, but not smart enough to build safe things. The human in the loop still mattersā€”maybe more than ever. Bob Starr learned that. I learned that last week with my pizza app. And if youā€™re vibe-coding right now, youā€™re probably going to learn it too.

The question is: will you learn it before your app gets hacked, or after?

A developer's desk with two monitors, one showing AI-generated code, the other showing a security scan result

A Personal Observation

Iā€™ve been writing about technology for fifteen years, and Iā€™ve never seen a shift this fast. Ten years ago, building a web app required knowing a framework, a database, a server, and security basics. Now you just need a prompt. Thatā€™s democratizing in the best way. But itā€™s also dangerous in a way we havenā€™t fully grappled with.

Iā€™m not going to stop vibe-coding. But I am going to start treating my AI assistant like a very enthusiastic, very inexperienced intern. Iā€™ll check its work. Iā€™ll ask it to explain itself. And Iā€™ll remember that the last line of defense isnā€™t the AIā€”itā€™s me.

Bob Starrā€™s Boomberg site is still up, by the way. He fixed the SQL injection. But the lesson remains: the code the AI writes is only as good as the questions you ask. So ask better questions. Your usersā€”and your future selfā€”will thank you. developer desk with AI code on monitor and security warning

Originally reported by www.theverge.com. Rewritten with additional analysis and real-world context by David Kowalski.

Related Articles

Virtual makeup try-on on smartphone with ChatGPT interface

L'OrƩal Is Putting Maybelline's Virtual Try-On Inside ChatGPT. This Is Either Brilliant or Terrifying

L'OrƩal has partnered with OpenAI to embed Maybelline's virtual makeup try-on directly into ChatGPT. Here's why that matters for shopping, privacy, and the future of AI.

šŸ› ļø1 min read
digital twin network security AI platform

The UK's New AI Security Platform Is Basically a Digital Twin of Your Entire Network

e2e-assure's Cumulo platform uses AI and digital twin technology to protect IT and OT environments, answering GCHQ's call for an AI Cyber Shield.

šŸ› ļø1 min read
Sakana AI Fugu multi-agent orchestration system diagram

Sakana AIā€™s Fugu Is the Anti-Vendor-Lock-In Playbook for Multi-Agent AI

Sakana AIā€™s new Fugu framework orchestrates multi-agent models to break free from single-vendor dependency. Hereā€™s why it matters for enterprise AI deployments.

šŸ› ļø1 min read
developer laptop code security checkmark

Vibe-Coding Is Fun Until Your App Gets Hacked ā€” Here's What Nobody Tells You

The thrill of vibe-coding an app in minutes is real. But as one developer discovered with a hidden SQL injection flaw, the security risks are just as real. Here's how to vibe-code without wrecking your project.

šŸ› ļø1 min read