🍵 On Tea Dating, AI and Vibe Coding security TL;DR: the antidote for mistakes AIs make is… more AI. I've gotten quite a few pings on the Tea dating app security breach, that leaked 72,000 selfies, driver licenses and IDs. There's speculation that 'vibe coding' is the culprit, i.e., AI agents writing code for mostly non-technical users with app or business ideas. Given @vercel builds @v0, a platform with 7 app generations per second, and our AI cloud hosts many platforms in this category (like @cursor_ai and @durableai), I thought I'd share my thoughts on this. First, AI coding is here to stay. Microsoft's @satyanadella reported 30% of their code is now written by AI, Google's @sundarpichai reported 25% last year, Meta aims for 50% by 2026. For younger companies like Robinhood, it's now the 'majority' of its code. Let's now analyze the particular vulnerability at hand. From the leaks on 4chan and other sources, it sounds like the Firebase cloud storage bucket was exposed to the public. Imagine if you took your iCloud Photos and gave them to the whole internet. Fun fact: we can actually confirm this because the Wayback Machine crawled that bucket, which is essentially like any other URL on the internet: (source: https://t.co/SPpmuRPmuG) So, onto vibe coding. It's true that Vibe Coding has increased the frequency of this category of incident, which we can broadly describe as "any client gets access to all the server data". 2 similar leaks came to our attention just last week, including a viral 'waitlist' app where all the emails were leaked to the client: Lots to unpack here. First, this category of issue is not exclusive to AI coding. The best analogy to understand what's happening to programming is self-driving cars. Autonomous vehicles operate with the same tools and platforms as humans (steering wheel, highway), much like AI coding uses existing cloud infrastructure and programming languages. When I saw this Firebase issue, it reminded me of virtually the same thing that happened to expert human coders using Firebase not too long ago (https://t.co/kiGd1Yjbj1). Cursor, ClickUp, Linear, Notion Calendar and many other apps using ToDesktop were not just leaking 'selfies', they were leaking the entire ability to mutate and run code on your computer 🤯 (As a citizen of the internet, I at the time loudly expressed my huge gratitude to the responsible disclosure of the researcher and the speedy response from ToDesktop.) If we go further back in time, we see this category of issue afflicting "human drivers of code", much like both self-driving and normal cars can both crash, throughout history. The way you find this vulnerability is astonishingly easy. In the case of Tea, it took exactly all of three clicks in a web browser (① View → ② Developer Tools → ③ Network) and some ingenuity. For ToDesktop, it was basically the same, but with an extra layer of obfuscation (download the app source, de-obfuscate it, find a Firebase db admin password, now you can push any source code update to these apps). For Capital One, the same again, but with 2 extra layers: find vulnerability in an app, then find an open 'admin server' (the EC2 metadata server), then get full access to an entire network of computers (https://t.co/297PgBzT7m). So, it's obvious this issue was common even when programming was wielded by engineering experts, even at banks where the security bar is set really high. With AI, it's likely more code will be written in the next few months alone than in the entire history of computers. Where do we go from here? 1️⃣ More AI. When we saw one of the earliest vibe coding snafus happen in our industry, the @v0 team moved quickly to deploy an agent that reviews the generated LLM code and patches it automatically. Our metrics show that we prevent thousands of these issues a week. If these issues are easy for humans to detect, they're easy for AIs to detect too. What's more, this technology can be leveraged for automatically reviewing code written by humans and other AIs. This is an example of a vulnerability caught by our @vercel review agent, which we'll be rolling out more broadly: What's exciting about this is that this system learns and improves from every review and every incident for every customer, much like the entire fleet of self-driving cars learns from crashes. 2️⃣ Agent-native infrastructure. Why is it so easy for an agent to do the wrong thing? If you're a developer, you know that code that deals with authorization and access to secrets does not belong client-side. It belongs server-side. It's been a well-understood programming practice for years. And because it's been part of the programming canon, LLMs and agents know it too. Some platforms are not giving the agents the right infrastructure to work with. For example, giving agents production database access to save on storage costs, or giving them a limited runtime (running code in the browser) to save on compute costs. With @v0, we're working very hard for this 'self-driving car' to not just meet the bar of quality of what a human expert would do, but exceed it. I believe AI will create more secure, more performant, more accessible code, but this time in the hands of everyone.
