• itscybernews
  • Posts
  • A 6-month-old app just sold for $80 million. Its founder never wrote a line of code. Neither, it turns out, did the locks.

A 6-month-old app just sold for $80 million. Its founder never wrote a line of code. Neither, it turns out, did the locks.

"Vibe coding" — building real software by just describing it in plain English — went from party trick to a $4.7B industry this year. The magic, and the trapdoor.

In partnership with

In June 2025, a 30-year-old developer named Maor Shlomo sold a company he'd started six months earlier for $80 million in cash. The product was a tool called Base44. He'd built it mostly alone. It had a quarter of a million users. And here's the part that makes people's jaws drop: much of it was built the new way — by typing what he wanted, in English, and letting an AI write the actual code.

That's "vibe coding," and in 2026 it stopped being a curiosity.

You describe the app you want — "a booking page for my barbershop that texts customers a reminder" — and a tool like Base44, Lovable, Cursor, or Replit writes the code, wires up the database, and puts it live. No computer science degree. No three months hunting for a technical co-founder. A working product by Sunday night.

It is, honestly, one of the most democratising things software has ever done. It is also quietly shipping a security problem into the world at a scale we've never seen. Both of those are true at once — and this issue is about holding both.

Scale AI support on AWS, see how July 9

Customer expectations keep rising. Support budgets don't. On July 9, Fin and AWS are hosting a live executive session on how leading enterprises close that gap: scaling AI-powered support while simplifying how they buy it.

You'll see how to resolve an average 76% of conversations with Fin on AWS enterprise-grade infrastructure, procure through AWS Marketplace to put committed cloud spend to work, and turn the Fin and AWS collaboration into lower support costs. Register for the live session to see how.

💻 The most empowering thing computers can do right now

Let's stay in the wonderful part first, because it genuinely is wonderful.

For fifty years, building software meant learning to speak the computer's language. Vibe coding flips that: you speak English, and the machine translates. You watch the app appear on screen as you talk to it — change the button, add a login, make it blue, connect it to Stripe — the way you'd direct a very fast, very literal assistant.

The numbers behind the trend are not small. Vibe coding is already a $4.7 billion market, projected to more than double by 2027. And the people using it aren't who you'd guess: roughly 63% are not professional developers — they're founders, product managers, teachers, nurses, small-business owners who finally have a way to build the thing they always pictured.

The Base44 story is the poster child. Shlomo bootstrapped it, hit 10,000 users in three weeks, grew to 250,000 users in six months, turned a profit, and sold to Wix for $80M — a nearly one-person company. He is not alone: solo founders are running million-dollar app businesses with a handful of staff, or none.

For a huge number of people, this is a door that was previously bolted shut. A domain expert with a great idea used to need money and a technical team to get through it. Now they need an afternoon and a clear description. That's real, and it's worth celebrating.

🚪 The catch: the AI writes the feature, but forgets the locks

Here's the thing nobody tells you at the demo. The AI is brilliant at making the app work. It is much worse at making the app safe — and because the result looks so polished, almost nobody checks.

When you tell a human developer "let users save their profile," a decent one instinctively also thinks: who's allowed to read that profile? where do the passwords live? what if someone tampers with the request? The AI often doesn't add those guard rails unless you explicitly ask — and a non-coder doesn't know to ask. The feature ships looking finished, with the security quietly missing.

This isn't hand-wringing. The measurements are stark:

  • Georgetown's CSET tested AI-generated code across five major models and found a cross-site-scripting flaw — a classic way to hijack a user's session — in 86% of the samples.

  • A Q1 2026 assessment of 200+ vibe-coded apps found that 91.5% contained at least one vulnerability traceable directly to the AI missing security context.

  • A security lab that tracks real, catalogued vulnerabilities caused by AI code watched the count climb month over month in early 2026 — a rising line, not a blip.

And it's not just theory. It has already leaked real people's data:

  • On one popular builder, a researcher removed a single authorization header from an app and the entire user database spilled out — names, emails, personal prompts. He and a colleague then tested 1,645 apps on that platform's marketplace and found 170 of them — about 1 in 10 — leaking user data the same way. A separate researcher pulled home addresses, debt balances, and API keys from live apps in under an hour. (It got a formal vulnerability ID: CVE-2025-48757.)

  • In January 2026, an AI-built social app launched with its founder proudly noting he "didn't write a single line of code." Within three days, researchers found it had exposed its whole production database — including 1.5 million authentication tokens and 35,000 email addresses.

  • A scan of 5,600 public vibe-coded apps turned up more than 2,000 high-impact vulnerabilities, over 400 exposed secrets (API keys, access tokens), and 175 cases of leaked personal data — including medical records and bank details.

There's even a brand-new attack that exists only because of AI coding. It's called slopsquatting. AI models sometimes "hallucinate" a software package that doesn't exist — they confidently tell you to install a tool that was never real. Attackers noticed the same fake names get suggested over and over, so they register those names for real and fill them with malware. The AI recommends the ghost package, you (or your AI agent) install it, and you've invited the attacker in. Researchers found open models conjure fake package names around 1 in 5 times — and some malicious look-alikes have already racked up thousands of downloads.

None of this means vibe coding is bad. It means the speed that makes it magic is the same speed that skips the locks — and right now, almost nobody is going back to fit them.

🛡️ The good news: the locks are cheap to fit — if you know to fit them

This is a very fixable problem, which is what makes it frustrating that it keeps happening. The security these apps miss isn't exotic; it's the boring, well-understood stuff, and most builders can turn it on in an afternoon.

The single biggest culprit in the real leaks above was a missing setting called row-level security — the rule that says "user A can only see user A's data." On the platforms involved, it's a checkbox that too many people never ticked. The second biggest was secrets (passwords and API keys) getting hardcoded straight into the app where anyone can read them, instead of being stored safely out of sight.

The tools are catching up, too. The same AI that writes the code can now review it: ask your coding assistant to "audit this for security vulnerabilities and fix them" and it will catch a real share of these issues. A wave of security scanners built specifically for AI-generated apps launched through 2025 and 2026. And the defence against slopsquatting is old and reliable — pin your dependencies, verify them, and never let an AI agent silently install a package no human has approved.

The point is: the miracle and the guard rails aren't enemies. You can have the weekend app and the locks. You just have to know the locks exist.

What to actually do — whether you build apps or just use them

If you're vibe coding something — even a small side project:

  1. Ask the AI to attack its own work. After it builds a feature, paste back: "Review this for security vulnerabilities — auth, access control, exposed secrets, injection — and fix them." It's the single highest-value prompt you're not sending.

  2. Turn on access control before you launch, not after. If your tool mentions "row-level security" or "auth rules," that's the checkbox that stops one user reading everyone's data. Don't skip it because the app already "works."

  3. Never hardcode secrets. API keys and passwords go in your platform's secrets/environment settings, never typed into the app itself. If you pasted one in during testing, rotate it.

  4. Don't auto-install what the AI suggests. Check that any package it recommends actually exists and is widely used before installing — that's your slopsquatting seatbelt.

  5. Get one real review before real users arrive. A dedicated AI security scan, or thirty minutes from someone who codes, catches the stuff that leaks databases.

If you'll never build an app — this still reaches you, because you use them:

The shiny new tool you just signed up for may have been assembled in a weekend by someone who, by their own cheerful admission, "didn't write a line of code." So be stingy with what you hand a brand-new app — especially anything sensitive: bank details, medical info, ID documents. Use a unique password for every service (a password manager makes this painless), so one leaky app can't unlock the rest of your life. And treat "built entirely with AI" as a reason for caution, not a selling point — until the tool has been around long enough to prove its locks actually hold.

The takeaway

Picture Maor Shlomo again, six months in, selling the thing he described into existence for eighty million dollars. That's the headline, and it's a good one — the barrier that kept most people out of software just fell, and a lot of brilliant ideas are going to get built that never would have.

But every app that gets built in a weekend is also a vault that got built in a weekend, and someone, somewhere, is checking whether the door actually locks. The answer isn't to stop building — it's to spend one more prompt, one more checkbox, one more half-hour fitting the locks the AI forgot. The magic and the safety were never a trade-off. We just got so dazzled by how fast the door opened that we forgot to see if it closed.

Software just learned to build itself from a sentence. The job now is to make sure the sentence includes "…and keep it safe."

Reply and tell us: have you built something by vibe coding — or been burned by an app that leaked? Tell us the story. Best answers get featured next week.

— itscybernews · written by a human, edited by a slightly suspicious agent ·