A story about a non-technical friend: friend vibe coded a SaaS last year and started generating revenue with almost no marketing; all word of mouth and inbound in a niche industry. Used Replit and Supabase to build the thing; I am still really impressed by what he was able to do given how complex the app ended up becoming as he interacted with customers.
What I think happened: there are two incumbents in this space that are not happy about him showing up and charging a fraction of their monthly cost for a better, more modern product (their products are Windows-based desktop software). So they hired hackers to hack his SaaS (because these hackers have never demanded money). Unfortunately, that vibe-coding resulted in some bad code that made it easy to hack. First, the user list was leaked on the FE of the code and the hacker emailed all of the customers. Second, the hacker got a hold of his Stripe key and issued every customer a refund. Third, the hacker has been trying to inject XSS attacks into app (we'll see a random `<script>alert()</script>` tag in some fields)
I think indeed, vibe-coded software in the hands of the inexperienced is instant tech debt. But at the same time, he was able to prove out a viable business in a matter of a few months with no engineering background and no technical capability.
Now he's hiring a developer to shore it up.
Was it worth it? Yes, it is terrible, shoddy, insecure code, but he proved out a viable business with just a few hundred dollars of investment.
I would not default to assuming it was his competitors, that sounds like scapegoating to deflect responsibility. What most likely happened is his site was scanned by one of the increasingly sophisticated exploit crawlers (anyone who runs an internet facing site and can view traffic knows what I'm talking about). His site got flagged as vulnerable, the hacker found out it was built like swiss cheese and had fun with it.
It's 100% this. Anyone who's run a website or web app for any length of time in recent years and makes a habit of inspecting their logs will quickly realise that they're being scanned by bots looking for vulnerabilities multiple, or even many, times per day. The search for vulnerabilities is entirely automated and will pick up any domain that has a website or web app attached to it.
One those vulnerabilities are found, the hackers will pounce, and, whilst ransomware is one potential outcome, they might instead do all of the kinds of things GP has described. They don't care what the site is for or what industry you're in.
>One those vulnerabilities are found, the hackers will pounce
...and work to exploit your code to their own benefit. They don't do this just so that they can refund your customers.
Often it's just done for reputation. "We got ahold of their stripe key and refunded everything lol" is hilarious and absolutely on-brand.
I mean, I can see refunding their customers just for the lols.
From the customers' perspective sounds ethical. The product was broken or extremely cheap quality, and not what it seemed to be originally when you decided to purchase... Is this black or white? ;p
> anyone who runs an internet facing site and can view traffic knows what I'm talking about
Most of what I see is looking for very specific vulnerabilities - a very high proportion are looking for hidden files and directories being served (e.g. .git, .env) or specific software (e.g. Wordpress), or similar.
In over 20 years of dealing with many mostly smallish businesses the compromises have been:
1. A client who insisted on using Wordpress for one of their sites (against my advice) because they had people who knew it so it was the cheap option. It was easy to see what would happen because those people were not available long term. 2. A very carefully set up server with a hardened kernel etc. I did not set it up so cannot give all details and neither do I know how it was compromised. It was carefully set up because it was a target for political reasons so I would guess it was a targetted attack.
On the other hand I know there have been many vulnerabilities. There have been many vulnerabilities in the applications - the outstanding examples being creating queries by concatenating user input with SQL (no escaping at all) in multiple places across a small site (years ago), and (recently) finding code that called (python) exec on user input. Many other flaws that have been present for years. Not updating OSes, server software and frameworks for many years is usual.
In spite of all that, just those two compromises. You will probably get away with a high degree of bad code and bad practices in deployment and maintenance with a small site.
Who else would spend the time and effort to figure out you leaked your stipe key to your front end? Sure people have bots to do that, but it’s kinda unbelievable someone would run such a bot on their vibe coded website.
I have a strictly hobby web app that I work on. 6-7 years ago I inadvertently pushed AWS email service credentials to GitHub.
Half an hour after the push I got an email and text from GitHub that I had exposed credentials. I quickly logged in to my AWS to turn off the service, to see that AWS had suspended that service because the bounce rate on the 80000 emails sent in that 15 minute period was too high. It was crazy just how fast it was exploited.
>> It was crazy just how fast it was exploited.
People underestimate the speed, but also the number of pivots that advanced attackers will make. Sure, these kinds of problems are easy to exploit, but with major organizations that employ reasonable defenses, the attackers will pivot through 50+ exploits/machines/layers to get to the target(s). This can take place over weeks or months.
It still doesn't make sense that advanced attackers would go to those lengths in order to... refund the customers.
There are lots of smart kids who don't particularly need reasons for causing mayhem. Suppose it was somebody profit-motivated though. They might be:
1. Distracting from a more important vulnerability
2. Later contacting customers, advising them of the "accidental" refund and redirecting them to a more appropriate payment mechanism (one without the KYC Stripe does, were they to try to steal funds directly)
3. Testing stolen credit cards before using them elsewhere
Etc. Scamming people is a big industry, and not all of the plots are immediately obvious.
Vibe hacking is much older than vibe coding.
Maybe guy's running the chatbot as customer service and user turned hacker to get his money back.
Plenty of hackers do it "for the lolz".
Here's an amusing thing to try on anything with SSH exposed. These log files go back a month.
Interestingly, I have a server that only has IPv6 SSH open to the outside world, and it has exactly zero that aren't me fat-fingering a password. It does have an externally visible hostname, which says to me that the bots aren't looking at hostnames for SSH, just IP(v4) addresses.
Meanwhile on my publicly available Oracle VPS...
I'm wondering what 'seekcy' is. Possibly a Chinese security product?
Googling it points to a Chinese IoT company, so I am thinking maybe they have some IoT software with known vulnerability where they have seekcy as the ssh username that is being actively scanned for.
> 118 pi
I wonder why this features so low in the list. The default user:pass combo for Raspbian/Raspberry Pi OS is pi:raspberry
https://forums.raspberrypi.com/viewtopic.php?t=151745
was pi: raspberry, but it was changed a long time ago to have no default user:pass
Wouldn't say it is low if it is within the top 20 amongst other very popular services.
I'm surprised there is no root there? In my experience this is by far the most common.
I'm almost certain SSH does not allow root login by default.
Yes, and it is disabled on my servers and I'm glad for this, because it still seams to be the most common in my logs.
> It was crazy just how fast it was exploited.
The internet is a wild place in any aspect of it. You should try spinning up a random virtual private server on any cloud provider, plug in a public IP address,and listen to traffic. Sometimes it takes seconds to get your first traffic from vulnerability scanners.
This 100%. I'm in a space with developers and customers deploying web servers for the first time. This traffic freaks them out.
Basically a simple server listening on a port will experience hundreds of random script-probing attacks per day. And if any of them show the slightest hint of succeeding then that escalates quickly to thousands per minute.
You don't need a DNS entry to "expose" the IP address (there are only 4 billion). Moving to another port reduces, but doesn't eliminate the traffic.
Telling people this freaks them out. But as long as the server is done well its just noise.
Yesterday it was 4 seconds from a LE cert -> scans for .env and other low hanging info leak/vulnerabilities from at least 4 different scanners.
There are groups out there just looking at the certificate transparency logs to get the newly added certs to scan.
Yeah, one of the reasons why I started to for all my dev side projects to be under a single wildcard subdomain, because I used to create new certs automatically with letsencrypt and everytime this spam happened. If I do things right it shouldn't matter, but I still feel better with the wildcard if I was to make a mistake...
Short related story: some customer wanted an API with a basic firewall, they said they don't need filter rules as it won't be used or something. I put a dumb API online (doing nothing) and showed them the request logs after one day. They approved the filter rules immediately.
Years ago back in 2001, I had a /29 giving my 5 real IP addresses from my ISP.
Back then, I mostly only ran Linux, but for some reason, I needed to run something on a Windows machine, so started installing Windows 98 SE onto a machine, and set it up with a public IP address without even thinking about it. It crashed before it'd even finished installing [0], and investigation showed that it'd been whacked by an automated RCE exploit scanner.
I immediately decided it was never worth the risk of putting a Windows machine on a public IP, and set up a NAT even though I had 3 spare public IPs.
[0] There was already a published update to protect against this exploit, but I was scanned and hacked between the base install exposing the bug and the automatic update patching it.
Yeah, I recall Windows sysadmins pulling out the LAN cable at bootup, installing updates via floppy disks and reconnecting the LAN cable.
Github repositories have statistics about access. Anyone can test this.
Create a new Github repo, within minutes there's someone (or something) poking around it.
Similarly if you post any credentials, they'll either get nabbed and used or a friendly scanner service will notify you about it and will tell you exactly where the credential is if you make an account in their service.
I think common people also underestimate how fast a computer really is nowadays, because they only know bloated MS Windows machines.
Why is it unbelievable? There is an entire industry of people trying to find vulnerable niche applications like this. There are bots which crawl the web, not to make an index, but just to find vulnerabilities. Nobody necessarily even had to 'point' anything at this at all, it just shows up on their dashboard one day and they get to dig in.
I would not be surprised if Shodan.io ends up with queries for easily identifiable markers of vibe-coded software.
> There are bots which crawl the web, not to make an index, but just to find vulnerabilities.
You can download a few of them out of GitHub and run them immediately, too.
I was being facetious. Yes, there are millions of bots that are constantly searching every website for leaked keys, passwords, database credentials, crypto wallets, firebase endpoints, s3 buckets, email addresses, phone numbers, etc. the list is bottomless
Yep. We once had left a socks proxy unprotected on a public IP, no cert, just a random IP and a fixed port. At one day the service stopped working. When looking into it, the network was overloaded with random IPs from all over the world surfing on the free proxy.
> Who else would spend the time and effort to figure out you leaked your stipe key to your front end?
In high school in the early 2000’s, I ran a small Apache server from my home that was basically Geocities but even less discoverable - I used it to learn PHP, SQL, and frontend. One day my log started filling rapidly as someone effectively ddos’d my home server. If they’d bothered to actually poke, they likely would’ve been able to exploit it relatively quickly even without all of today’s tools. I imagine the process of discovery and exploitation is magnitudes more impressive and performant today.
> Who else would spend the time and effort to figure out you leaked your stipe key to your front end? Sure people have bots to do that, but it’s kinda unbelievable someone would run such a bot on their vibe coded website.
I could offer some anecdata as a counterargument but I'm a bit ashamed about how it happened so I'll just say, you friend was lucky it only ended at that.
I've seen it happen - a key was leaked in a stacktrace somewhere and it took a scraper a couple of days to find it. Stripe helpfully prefixes their keys with sk_prod_ so you can completely automate something to iterate over every IPv4 address and see if something in the output matches.
You don't scan just a single website, you code up the bot once and then scan every site you can find.
Your friends' service was just the proverbial paper car in a thunderstorm: the thunderstorm doesn't care about the paper car but destroys it just the same.
My website has a "public" directory for things I wanted to be publicly accessible, but there's an index.html there so you can't trivially discover what files are there.
I was mirroring this to another machine, and I'd foolishly already configured haproxy to serve from either machine. In the 10 minutes (guesstimate) between starting to populate the directory and closing off access, I had one bot scrape every single file in there. What was worse was that it'd cached the index, and continued scraping these files from the other backend too, so I had to shut off access to that directory on the live server as well as the backup.
Whilst technically, all of these files were "public" because I wanted to share them, some of them weren't publicly linked to (things like my CV etc) which I'd rather hadn't been scraped by some random bot (that of course, didn't identify itself or respect robots.txt).
Nah, that's table stakes for a public facing website.
The thing about bots is that it costs almost nothing to run them against millions of sites every day. It's got nothing with "but what are the odds?!", at large enough scale, unlikely things happen all the time.
Shame on this dude.
Oh you sweet summer child.
It's def a hacker from a the incumbent because:
1) They took action after getting the Stripe key by refunding all customers
2) They drafted an email to all customers after a hack that got the mailing list and API route to send emails
3) Not once has the hacker asked for compensation of any kind nor a ransom
Not sure how to word this, but are you "new" on the internet? People used to break stuff "for the lulz" since the dawn of time.
I remember when I was a kid running a tiny forum with phpbb or something, and some script kiddies from g00nsquad (can't remember exact spelling, but something like that) defaced it. They didn't ask for money, they just did it for fun.
Sure things have changed now and the internet has become more corporate, but I reckon there are still people out there doing this stuff l because they can.
> Sure things have changed now and the internet has become more corporate, but I reckon there are still people out there doing this stuff l because they can.
I recall a while back there was a story here about a recipe app that used LLMs to generate recipes. It didn't took long before posters started showcasing recipes they tricked the LLM to generate, involving ingredients such as cyanide and computer chips.
The pull is always there.
My understanding has always been that most hackers do it for the fun/challenge/sport of it and it's only a small fraction who are in it for the money.
Breaking things is just fun for them and the internet is their video game.
Also the vibe I am getting from places like reddit/etc... is that it's currently open season on vibe coded apps. Lot's of internet points to be had for destroying them.
Breaking things is fun. Effectively stealing money (the refunds) is highly illegal, immoral, and malicious. Who knows who did it, but that aspect is just dickhead territory.
I wouldn't call that stealing. It is a forced refund. A hacker could even justify it to himself that these people were unknowingly paying for a shitty product that was built like Swiss cheese, time to give them a refund. Another plausible one is "this guy shouldn't be allowed to run a website, I can't believe he made money for it, it is going back".
I am not saying it is the most likely case or even ethically justified but it is definitely not a super unlikely one. Anyone who thinks that's an impossible scenario has not been in the hacker's shoes.
> I wouldn't call that stealing. It is a forced refund.
If someone took money out of your pocket would you call it stealing? What if they gave it to someone else, like a past employer or your parents or a humanitarian organization?
By the way, you should check a dictionary. The definition of "stealing" is literally taking something away without permission.
Being in the possession of a password or key implies having permission to use that key. When generating a key you give everyone with access to that key the permission to use it to perform actions on your account.
Protect your keys.
> Being in the possession of a password or key implies having permission to use that key.
No, it doesn't.
Yes, it does.
> Being in the possession of a password or key implies having permission to use that key
So if I get your house key I can use your bathroom?
Seriously, what hill are you trying to die on here?
Depends - did I hand it out at the street corner?
Nah, you left it under your door mat.
Would insurance cover that?
Does it matter?
Yes.
Refund or chargeback? The processing fees for a chargeback on every transaction could put him out of business.
He's lucky they didn't find a way to use it for card washing.
It would have had to be refund. The hacker could t initiate a chargeback from knowing the merchant's stripe keys. Seriously doubt it was a competitor. The risks of hiring someone to commit felons against your competitors just isn't worth it. Especially since the vibe coder seems to be bungling things on their own just fine.
How about you pay more attention to the story? It's not Visa/MasterCard or the customers that got hacked.
> I wouldn't call that stealing. It is a forced refund.
Respectfully, what the hell are you talking about?
Imagine you work 40 hours making an app and I pay you for those 40 hours. A third party comes in and says, I'm forcing a refund here - you lose the money you made, but you get the app you made.
How do you feel about this forced refund?
>I wouldn't call that stealing. It is a forced refund.
Can you name an instance of stealing that could not be described as a forced refund?
I don't see how any of that implies that an incumbent did it.
If you were a criminal trolling the Internet for vulnerable servers and found stripe keys... would your first instinct be to refund customers rather than do some other sort of crime? Like what's the motivation you envision here?
"Because I can" or "Because it's funny" are more than enough reason for most people. The fact that the hacker refunded all the customers, then emailed them to warn them that they were using a terrible app actually sounds like a pretty tame troll to me. If the hacker was truly hired by the competition to act maliciously, they could have done far, far worse.
Your friend should take this as a lesson instead of trying to deflect blame to their competitors.
> Because it's funny
I think you mean “for the lulz”
There are black hat hackers that take great joy in just causing as much chaos as possible, particularly with such vibe-coded apps. Even with stripe keys, it's not like they could direct money elsewhere.
Maybe a blackhat hacker decided that the software was so shoddily built that the company didn't deserve to continue existing, and decided to try to make that happen as a sort of vigilante justice against crappy vibe-coded apps.
Definitely not a good idea but it's not an unreasonable motivation.
Some people just want to watch the world burn :shrugs:
Fun and internet points!
[dead]
what was in this email though?
Hey all I’m an independent security researcher and I found that you are paying for an app that is shoddily built and doesn’t respect your privacy or security so I decided to give you all a refund. Have a nice day!
Telling customers it was built with AI and insecure.
Please don't consider becoming a judge. Also, try re-reading what you wrote a few times.
The fact your friend is suffering no consequences and is able to just carry on is exactly what is wrong with this industry.
In a perfect world the creation of software would have been locked down like other engineering fields, with developers and companies suffering legal consequences for exposing customer information.
The 80s and 90s devs who built our current software infra were, on average, FAR less credentialed than today's juniors and mids who mostly don't understand what they're building on.
Sure, and Da Vinci didn't have an architectural degree when he was designing bridges, but now you need a proper license to do so. Society learns to do better
The difference is we didn’t know any better back then. We do now.
Surprisingly, 80's and 90's developers were quite skilled low-level developers who knew very well all the ways things could go wrong. The difference was the stakes were not high then. The blast radius was maybe a hundred thousand people and the worst was they lost their own files. Now some AI-controlled process or apparatus could ruin everyone's credit and maybe even kill you and all your neighbors.
The whole comparison is apples to oranges. Products are massive nowadays and a whole lot more connected.
In our imperfect world, by the time the government could get together a reasonable certification process the content you're tested on would be out of date. Maybe when the industry is older it'll change slow enough to do that, but I don't think that'll happen so long as there's so much money aimed at disrupting everything and monetising the disruption.
Were going in circles far too fast to have licensure that hinges on being up to date.
That's what tort law is for. It leaves the details to the experts, and judges based on general notions of intent, negligence, and harm caused. The threat of financial ruin should incentivize against selling malware.
How do you use tort law to keep licensure curriculum up to date?
Let's say it was coded extremely well, but nevertheless a more advanced exploiter wreaked similar havoc. Would they still be liable in your perfect world? To some degree the principle of caveat emptor should apply in some tiny, nascent business, otherwise only large juggernaut monopolistic incumbents would have the means to have any stake in software.
> Let's say it was coded extremely well, but nevertheless a more advanced exploiter wreaked similar havoc.
A doctor kills a patient because malpractice. Could that patient have died anyway if the patient had a more critical condition?
That is a non sequitur argument.
> Would they still be liable in your perfect world?
Yes. The doctor would be liable because did not meet the minimum quality criteria. In the same way that the developer is liable for not taking into account any risks and providing a deeply flawed product.
It is impossible in practice to protect software from all possible attacks as there are attackers with very deep pockets. That does not mean that all security should be scrapped.
Yes, parent is arguing like, what if medical licensing protects the juggernaut hospitals at the expense of the street corner quack?
"Skip surgery by getting stabbed in an alley. Doctors hate this weird little trick!"
Imagine these two scenarios:
Your spouse dies in surgery. The highly experienced surgeon made a mistake, because, realistically, everyone makes mistakes sometimes.
Your spouse dies in surgery. The hospital handed a passing five year old a scalpel to see what would happen.
There's a clear difference; neither are _great_, but someone's probably going to jail for the second one.
In real, regulated professions, no-one's expecting absolute perfection, but you're not allowed to be negligent. Of course, 'software engineer' is (generally) _not_ a real, regulated profession. And vibe-coding idiot 'founder' certainly isn't.
There is a word for this, negligence. We need to start considering these failures to secure user data as criminal negligence.
That's always the double-edged sword with regulation, but sooner or later people will demand it, or much more of it.
I don't remember the specifics well, but under GDPR they'd be required to give breach notification to customers, maybe write a report and get audited and possibly get fined depending on the situation. Customers could demand compensation (probably doesn't make sense here).
Right. Because the solution to all of this madness is SOC2 compliance or something along those lines.
What happened is a perfect natural selection. The friend is a very small actor with probably a dozen customers not a multi-billion $$ company with millions of customers.
Well his customers got a refund, that's nice ;)
But I guess the lesson is to vibe code to test the market while factoring a real developer cost upfront and hiring one as soon as the product gets traction.
Imagine vibe coding spreads to civil engineering and people start building bridges this way. Have AI design it and then probably 3D print it on location.
> legal consequences for exposing customer information.
Still a good idea. Also without taking vibe coding into account. Far too many tech companies are way too sloppy with customer data. Often intentionally so.
In that world we’d just be transitioning to 32-bit software and still running MS-DOS since it’s certified. Linux would never ever have broken through. Who can trust code developed by open source cowboys? Have we verified all their credentials?
There are some industries where the massive cost of this type of lock down — probably innovation at 1/10th the speed at 100X the cost — is needed. Medicine comes to mind. It’s different from software in two ways. One is that the stakes are higher from a human point of view, but the more significant difference is that ordinary users of medicine are usually not competent to judge its efficacy (hence why there’s so much quackery). It has an extreme case of the ignorant customer problem, making it hard for the market to work. The users of software usually can see if it’s working.
You, of course, say that like it's a bad thing.
I'll say video games would certainly be worse.
I don't know if we'd be worse off with a lot of other software and/or public internet sites of 20-to-30 years ago. A lot of people are unhappy with the state of modern consumer software, ad surveillance, etc.
Probably a lot less identity theft and credit card/banking fraud.
For social media, it depends on if that "regulate things to ensure safety" attitude extends to things like abuse/threats/unsolicited gore or nudes/etc. And advertising surveillance. Would ad tracking be rejected since the device and platform should not be allowed to share all that fingerprinting stuff in the first place, or would it just be "you can track if you check all the data protection boxes" which is not really that much better.
I'm sure someone would've spent the time to produce certified Linux versions by now; "Linux with support" has been a business model for decades, and if the alternative is pay MS, pay someone else, or write your own from scratch, there's room in the market.
(Somewhere out there there's another counterfactual world where medicine is less regulated and the survivors who haven't been victimized by the resulting problems are talking about how "in that other world we'd still be getting hip replacement surgery instead of regrowing things with gene therapy" or somesuch...)
A lot of the things people are upset about are not related to this issue and not something licensing engineers would fix. They're products of things like market incentives.
What you're really talking about when you talk about "locking down the field" is skipping or suppressing the PC revolution. That would make things like opaqueness and surveillance worse, not better. There would be nothing but SaaS and dumb terminals at the endpoint and no large base of autodidact hacker types to understand what is happening.
I have wondered if medicine wouldn't be a lot more advanced without regulation, but I tend to think no. I think we have the AB test there. There are many countries with little medical regulation (or where it is sparsely enforced) and they do not export sci-fi transhumanist medical tech. They are at best no better than what more regulated domains have. Like I said, I think many things about medicine are very different from software. They're very different industries with very different incentives, problem domain characteristics, and ethical constraints. The biggest difference, other than ethics, is that autodidactism is easy in software and almost impossible in medicine, for deep complicated practical as well as ethical reasons.
For software we do have the AB test. More conservative software markets and jurisdictions are vastly slower than less conservative ones.
I think you're proving their point. There are different kinds of software that require different kinds of regulation.
I disagree. Mature open source projects last long enough without significant disruption to still be relevant after they make it onto the certification exam. Products, not so much.
Investing time building familiarity with proprietary software is already a dubious move for a lot of other reasons, but this would be just one more: why would I build curriculum around something that I'm just going to have to change next year when the new CEO does something crazy?
And as bad as it might be for many of us who hang out here, killing off proprietary software would be a great step forward.
You're assuming the process would not be instantly subjected to regulatory capture by for-profit companies and by universities with an interest in inserting themselves into the required licensure pipeline.
Microsoft in the 1990s would have used the regulatory and licensure process to shut down open source. They tried to do it with bullshit lawsuits.
A reliable, un-bloated OS? Sign me the eff up.
Go check out VxWorks or the like. only 20K a seat, build tools at a similar price, and then oh joy, runtime licenses required to deploy the sw you wrote.
Which are reasonable prices when lives are at risk.
Yes, I know RTOS are not general purpose, this is NOT apples to apples, but that is what that kind of reliability, testing, safety certification, etc. costs.
Or QNX for the price of Windows, for a certified UNIX.
...and this is where compliance comes in, and is the exact reason real companies won't talk to you unless you have (at minimum) SOC2. There's billions of products out there, how do you know if it's actually good software developed by a team, or some idiot like above vibe-coding slop into what appears to be a functional application? We all make fun of audits and checklist-based-security but it would've almost certainly prevented the above from happening.
GDPR fines can accomplish this.
how dare you stifle innovation with your communist laws, I thought this was America
People really want to bring down the growth of the USA's software industry to EU level.
Letting another country be the wild west and then cherry-picking the good stuff while regulating the nasty stuff doesn't seem like a terrible place to be for the, what, 99% of people who aren't Silicon-Vally-bigtech-execs-and-engineers getting all those profits?
Even in the US most software jobs are lower-scale and lower-ROI than a company that can serve hundreds of millions of users from one central organization.
But for the engineers/investors in other countries... I think the EU, etc, would do well to put more barriers up for those companies to force the creation of local alternatives in those super-high-ROI areas - would drive a lot of high-profit job- and investment-growth which would lead to more of that SV-style risk-taking ecosystem. Just because one company is able, through technology, to now serve everyone in the world doesn't mean that it's economically ideal for most of the world.
> People really want to bring down the growth of the USA's software industry to EU level.
The EU is the only place hiring software engineers right now. Everyone in the U.S. just keeps laying them off.
That hiring is by US companies moving at US speeds, who greatly eclipse the growth rate of EU companies, which is the point OP was making.
I think "innovativeness" is massively overrated compared to network effects and consolidation.
Spotify is European. Any innovative SV companies going to unseat them with sheer pluckiness? Same goes for Meta or Amazon going the other way.
China and to some degree Russia have their own ecosystems due to anti-innovative barriers they put up.
> China and to some degree Russia have their own ecosystems due to anti-innovative barriers they put up.
You can add Korea to this list.
Some of that is US companies hiring in the EU because the salaries are lower. Source: I know of multiple companies, even on the smaller side, doing this.
USA is bullying europe into buying billions and billions worth of € in weapons and we're supposed to feel sad a couple of your jobs move to europe?
It's a textbook case study of market failure in neoclassical economics caused by information asymmetry. If customers knew about the vulnerabilities, they wouldn't have paid money, or they would have demanded a lower price.
> Was it worth it? Yes, it is terrible, shoddy, insecure code, but he proved out a viable business with just a few hundred dollars of investment.
This feels like less of a win for the customers though. They're paying money and exposing their data insecurely, all for a product that maybe does what it's trying to do.
> Now he's hiring a developer to shore it up.
This is going to be way harder than it sounds...
I'm all for AI as a reference or productivity/learning aid, but the results without a human in the loop quickly get horrific.
It's a win for the customers. From what he's told me, there's zero churn so far despite the hacks (including one where the hacker emailed every customer about the hack).
It's because the software is that much of an improvement over the incumbents at a fraction of the cost. Better features, more flexible, easier to use, faster, etc. Everything about it is better than the two major vendors.
The rebuild will likely end up easier, IMO, because the screens and the logic is all done. Most of it just has to be moved to strict backend and then have the APIs secured correctly.
> The rebuild will likely end up easier, IMO, because the screens and the logic is all done. Most of it just has to be moved to strict backend and then have the APIs secured correctly.
How to draw an owl…
Step 1. Draw a circle. Step 2. Draw the rest of the owl…
The hardest thing about most business software is rarely technical. CRUD apps are CRUD apps.
In this case, it's understanding the use cases and flows that the customers value and where the incumbents are coming up short.
The hard thing about CRUD apps is how to structure your data, which is not something easy to rectify later on.
For relational data, nothing could be further from the truth.
> For relational data
There are other (worse) ways to structure data, you should not assume that a badly-built CRUD app uses a good one.
>The rebuild will likely end up easier, IMO, because the screens and the logic is all done. Most of it just has to be moved to strict backend and then have the APIs secured correctly.
Atlas can finally be relieved of holding up the sky, since the 'just' in that sentence is capable of even heavier lifting.
God, i'm living in a dilbert comic.
I would have never thought i would one day envy licensed professionals like lawyers who have a barrier for entry into their profession.
Did he need it to prove a business viable if there were already players in the market? No. Do you ever need to validate that people would switch providers of a commodity product or service if presented with a cheaper option? Also no. What did he learn then, that he can create a partial solution that people might pay for initially (no data on renewals) but will ultimately have to actually hire people to build a real product which will eat at his differentiator (price). Wait until he decides he actually has to spend money on marketing.
The good news is that with each of these we get to "validate" that having an idea still isn't worth much without the ability to actually execute.
As a business owner I can tell you that price is not the only factor people look at when choosing to engage with a business. I've tried the whole "cheapest offer in the market" thing and its backfired terribly. The main insight I've gained is that customers have a perceived value of a product that aligns with things like branding, marketing, previous experiences, and perceived popularity. People are willing to pay more for these things.
yes exactly, branding, marketing and market share matters.
He validated that he could get customers. The comment says he started generating revenue so he had real customers.
If he had been unable to get customer he would have known it was not worth building a real product.
That's like saying Canva and Figma didn't need to prove there was a market because PowerPoint and Photoshop existed.
It's the opposite, right? When a dominant incumbent exists, you have to prove that there is a market for an alternative that can compete with more mature, established software.
This is morally equivalent to building a house with no engineering experience and someone coming around and kicking it down. The problem isn't vibe coding per se, but lacking some key knowledge to be able to make important judgements which may (should) result in legal liability
Conflating a scenario that will likely result in many deaths with leaking some customer emails is kind of crazy to me. How are they morally equivalent? Both are bad, but there is a significant difference in how bad IMO.
That's why that person was non-technical. Maybe software engineering will finally require licensing like for real engineers when AI is unleashed on the world with serious consequences.
> Was it worth it? Yes, it is terrible, shoddy, insecure code, but he proved out a viable business with just a few hundred dollars of investment.
Thank god that someone, somewhere, was able to make some money out of irresponsibly releasing software into the world!
This is why we need strong financial penalties for data leaks. A company that plays fast and loose with security should be shut down the same way a restaurant would for vibe hygiene. “Oh well we poisoned some people but look how fast we set up”
That’s not a viable business, it’s a walking liability. Besides which, why would anyone trust your friend (as an investor or customer) ever again when they’ve shown such profound disregard for user data and their IP? If your metric of success is “I have no idea what I’m doing and still made money from it” your friend would have a better time starting a podcast.
> Why would anyone trust your friend (as an investor or customer) ever again when they’ve shown such profound disregard for user data and their IP?
Plenty of people probably. There are hundreds of businesses that constantly get exposed for massive leaks and/or horrendous business practices yet they're doing just fine. I'd imagine the killing blow in this case would be the stripe key but beyond that they would've likely had no massive issue.
On the contrary, he's solving a real business need for these small businesses at a fraction of the cost with a product that's easier to use and with better features.
The customers know there was a hack because the hacker emailed them (I had a test account and received the same email). Yet he's had no churn because there's so much value being delivered.
I think there's something to be said for that.
> On the contrary, he's solving a real business need for these small businesses at a fraction of the cost with a product that's easier to use and with better features.
He's doing the digital equivalent of drop-shipping. No one is making money at that anymore either, although people did well at first.
Drop-shipping software products isn't a long-term thing.
> Yet he's had no churn because there's so much value being delivered.
In a market that is tolerant enough of broken software that they won't churn after getting notice that it broke, it only takes another "ideas guy" to vibe-code a competitor product and take all the customers because they can charge less than he is charging[1].
[1] Because, as you said, he now has to retain a real dev to fix it, which costs money, which will have to come out of the customers., said customers being willing to switch to a cheaper replacement, which will be the vibe-coded low-cost competitor, which will eventually need a real developer, which will raise costs, which have to come from the customer, which ....
In a few months, his customers will be vibe-coding that app for themselves.
His early assessment when I talked to him abut this was "it's the end of SaaS".
But the reality is that the users are first and foremost concerned with their day-to-day business. Just because you can do X doesn't mean you will do it.
It's also true that there still remains some foundational knowledge required like knowing what a database is, what React is, how to prompt. There's a big generational divide on this so I do not think we are the point (yet) where "anyone" can do it. There is still a need to have some background knowledge and some technical friends that can guide you.
> I have no idea what I’m doing and still made money from it
I feel like this describes most people that start their own business at first. It just usually isn’t a lack of experience in producing the product. It’s a constant tradeoff of what skill to invest more time into to keep it afloat. They’ll learn sooner or later.
Entrepreneurship is search. The vast majority of new businesses fail and this is the unacknowledged truth.
It's just search, and most people who try will discover ways to fail, not to succeed.
This attitude towards exposing customer data as a palatable oopsie on someone’s path to learning (by… outsourcing the effort of learning to an LLM?) is truly disgraceful.
I think you're describing fraud. Of course it's easy to start a business if you're cutting every corner with no regard for the users until you get caught.
Vibe coding is going to bring upon regulation, which is the opposite of the lower barrier to entry people want it to be.
Seems like EU's CRA does not go far enough. This quality of products should not be sold in the first place. So I hope we will very soon regulate also them.
> Of course it's easy to start a business if you're cutting every corner with no regard for the users until you get caught.
This has been the main Silicon Valley business model for years. Find an existing, regulated industry (taxis, hotels); skirt the regulation via the magic of computers (and contractors) until you become Too Big To Fail.
> Was it worth it? Yes, it is terrible, shoddy, insecure code, but he proved out a viable business with just a few hundred dollars of investment.
and the vital ingredient? complete contempt for his customers
It's also "worth it" to start a burger stand and make $1000 a day by vibing and not wasting time on food hygiene training or practices. Gotta move fast and test the market after all.
I predict 2030: all sites in most countries will need a license to operate and something like SOC2 certification. Even for your blog.
I think it should only apply to commercial services FWIW. Amateur sites should be caveat emptor
In practice politicians don't care (or understand) commercial versus non-commercial internet services. Just look at the garbage fire that the UK online safety act is.
Nah, it'll still depend on size of user base, revenue, and safety requirements of the domain. A random personal blog won't hit any of those criteria.
It’s not a “hack” when you have your stripe keys in the frontend.
It’s called a skill issue and to prevent these you have to actually spend time learning instead of vibing.
It’s literally the same as driving a car without license.
Everyone can do it - but shouldn’t.
Just because it's an easy hack doesn't mean it isn't one. It's still lockpicking when it's MasterLock.
Maybe more accurately: it's still theft if the door was left open.
But the insurance won't refund you.
A judge will still find you guilty if you try "but the door was unlocked so anything inside was fair game to take".
It's a hack because he had an admin route and API endpoint which was only checking for authenticated users. He thought no one could see the route because it wasn't in a sitemap (of course, everyone could see the route). Hacker found the API route to insert themselves into an admin table (Supabase RLS was not deployed correctly) and from there, started adding himself to other orgs in the DB.
I’d take even odds that that’s what his vibe assistant said happened but it has no relation to the actual sequence of events
> Supabase RLS was not deployed correctly
What a surprise.. This has become the new "the default password was admin and no one changed it". And I remember vendors getting enough flak for those defaults that most of them changed them.
It's a hack because... it's openly exposed to anyone...
What he built was, almost by definition, a prototype.
The problem is that, as it often happens, the prototype was then deployed to production. In this case, it was partly the fault of your non-technical friend who didn't know better, but software engineering history shows us this sometimes happens because of customer/boss pressure.
So it's often the case prototypes designed to prove feasibility or to demo to customers become production software, and AI makes this undesirable result even more frictionless.
It seems in our line of business we are doomed to repeat past mistakes -- forever.
Something I learned is prototype never should be shown to non technical C-tier officials.
They will push out to the moon even after all the technical staff had signed a report saying why it's a price of trash and why shouldn't be done.
Double that down of they are financial or research. Commercials are much more practical and understand you needed a real product for client retention.
Maybe we get something good of this push for AI and people begins to understand the difference between product and prototype.
Forever, until our cursed profession gets an official licensing body like other real Engineering professions. A Civil Enginnee can't sign on a prototype bridge design that then gets built and opened to the public, because any problem means potential jail time and possibly loss of licence.
There should be legal consequences for treating people's data with reckless abandon. It's normal for restaurants to be inspected. Commercial apps should also be inspected by independent bodies and fines must be paid if serious negligence is found. Imagine finding out that your favorite restaurant had a rat infestation on their storage room for a year.
And of someone gets food poisoning because the restaurant used expired ingredients, it gets heavily fined and possibly shuttered. This should also happen with software. If your root AWS user key is leaked in your frontend, your service deserves to be shuttered.
> he proved out a viable business with just a few hundred dollars of investment
That statement is a bit of a stretch though, because
> charging a fraction of their monthly cost
I have to assume at least part of his success was the price point; and that price point was possible because he wasn't paying any software developers to do things right. So "having lots of vulnerabilities" was a core component of his business model. Once that part is removed, the model is no longer proven.
> Was it worth it? Yes, it is terrible, shoddy, insecure code, but he proved out a viable business with just a few hundred dollars of investment.
Was it worth it to put all his customers at risk like that?
He is honestly lucky, the "hackers" could have done much worse, it would have been much more profitable for them to go after his customers via his software than to demand money from him had they been financially motivated.
> Third, the hacker has been trying to inject XSS attacks into app
> Now he's hiring a developer to shore it up.
So this is an ongoing attack? He should probably also hire some incident response and get some security consultancy.
I really like the recent HN post "Enough AI copilots, we need AI HUDs" (geoffreylitt).
I don't think it's stretching the airplane analogy to say: just because you can run the autopilot doesn't mean you are qualified to fly a plane and doing so might be irresponsible. Vibe coding (or vibe whatever with AI) too often overlooks the experience and expertise needed to do the thing.
See also the Tea app hacks.
https://news.ycombinator.com/item?id=44705445
Man. Script kiddies are everywhere and if you have vulnerable code, it is basically a matter of time until one of them finds a hole.
> Was it worth it? Yes, it is terrible, shoddy, insecure code, but he proved out a viable business with just a few hundred dollars of investment.
How much is it costing him to hire someone to reimplement his idea correctly?
Never mind what it's costing the vibe coder to fix this.
The important question is: what was the cost and consequences of the exploits for users of the service?
Probably a similar amount that it would have taken him to hire someone from the start, except he’s already validated the product and market.
> Probably a similar amount that it would have taken him to hire someone from the start, except he’s already validated the product and market.
He hasn't validated the market at the price point that includes the cost of a developer to build the product. He's validated a market in which it costs him close to zero to deliver. He's not validated a market which costs (say) a few months of dev time.
Currently only equity.
And it only works because has proven the revenue model and found the customers already.
Customers that he screwed over with his shoddy code.
And a developer he's screwing over by not paying them.
If he manages to do it, he'll know it's a business with legs and how much people will pay which is pretty invaluable knowledge
Lots of people on HN seem to have a very broken idea of how startups and entrepreneurship works.
Likely still cheaper than whatever these competitors have spent building their product and then hiring blackhat saboteurs.
That's a very big alligation that would need some more proof than "who else would hack it?"
I wonder if people do that sort of thing..
Generally bandits are not interested in sparing anyone. =3
He can expect 5 times what he would have paid the first time with a proper specification...
=3
> it is terrible, shoddy, insecure code, but he proved out a viable business with just a few hundred dollars of investment
I don't think he proved that. In fact the point of the story seems to be the opposite: even if you have a nice looking demo that does the thing, there is a lot of unseen cost to bringing it up to production spec that has to be accounted for.
If whatever this SaaS can be so easily built with no technical knowledge... why would a company not just build it themselves with "vibe coding" and cut out our friend completely?
That is what is so broken about this whole vibe coding to riches thing. Ignoring the very real problems with the quality of the code and security issues, if you can vibe code it what is stopping someone else from doing the exact same thing.
It sure isn't like security is any better... clearly.
One of the first things he told me after he got it up was that this is the end of SaaS.
The thing is, not everyone knows about these tools. Many small businesses are focused on their day to day. Even if you can build it yourself, there is still some operational overhead. Even if you don't have to be technical as an engineer, you still need to know a bit about apps -- what's React? What's a database?
It's honestly a bit depressing to see you say that it was worth it to make money with little investment even though it cost the users the loss of their personal data and privacy and probably put the business creator in legal turmoil.
It's only possible for you to say that because you know that the financial incentive is tipped towards vibe coders who don't care about security vs towards consumers...
If I pay a company money and then they leak my data because all of their modern-looking stuff was actually just cobbled together garbage and the founder and sole employee doesn't even know how any of it works, I would call it a scam. Your friend pulled a scam. He should face consequences for this.
Would add that in the hands of experienced developers, vibe coding is of not much help either. Coding would be much minimized with a good framework and re-use, while keeping the entire codebase maintainable.
"Tech debt" is a misnomer. It implies that at some point it should be paid down. There are very few examples where dedicating real efforts exclusively to paying down tech debt led to anything beneficial for the customer.
Some of the software we know and love today started with someone writing their very first line of PHP code, or Rails.
Vibe coding is ultimately about getting ideas shipped faster. Code quality is an engineer recruiting/retention strategy.
As we saw with that Tea app (which wasn't even vibe coded), you're only as secure as your weakest firebase store.
The one tip for quick success that the Human Developers don't want you to know: You don't have to pay down your tech debt if the company folds because hackers leak your customer database and refund all your income.
This counterfactual implies that successful companies that have not been hacked have done so because they pay down their tech debt.
I can name many companies that have Olympus Mons levels of tech debt, and are doing great. Here's one: Spotify
> Vibe coding is ultimately about getting ideas shipped faster.
Studies show that using LLMs for coding results in negative net productivity gains on average.
There have been a few studies that show that in certain circumstances this is the case. But doing a literature review will illustrate the bulk support the alternative hypothesis.
Ultimately, whatever the hype factor there is a large number of clever people putting their time and money into it for a reason.
I would read that study thoroughly.
It had a very specific caveat of "within existing codebases that the engineer was intimately familiar with."
In all other instances, it was not slower
Your friend vibe coded something that handles people's financial information and/or PII with zero diligence.
This is a no fly zone amigo, that's going to be a hard no from me dawg.
That's not instant tech debt, that's a class action lawsuit for negligence with damages that were I a juror in a trial I would find him liable.
Doesn't sound like it was worth it to the paying customers/guinea pigs whose data became vulnerable bc your friend said "security? Lol". But I guess that's true of normie-coded startups as well.
The customers know he was hacked because the hacker sent an email to everyone on the customer list. Yet none of the customers left and he's only grown the customer base since then.
I think that tells you something: they have a real, painful, and costly problem to solve that he solves for them to a T.
> ...normie-coded startups
Having been in the startup space for the last 20 years spanning bootstrapped companies to startups that raised $8m seed rounds to startups that raised a $100m C round, I've learned that there's only one thing that matters: solving valuable problems and getting that in front of customers.
You can be as technically pristine as you want and live in an ivory tower, but that rarely if ever leads to a successful entrepreneurial endeavor.
> I've learned that there's only one thing that matters: solving valuable problems and getting that in front of customers.
To quote another recent article: That is to say, it turns out that the core competency of smiling and promising people things that you can't actually deliver is highly transferable.
He's already delivery it and they already see the value in it though?
All your replies in this thread make sense only if you see zero value in security. Security is not about being "technically pristine".
It definitely wasn't worth it, and the only reason it got off the ground was because of the current default expectation of human-written software being somewhat reliable and mostly safe from exploits of this kind.
This is why I think it's irresponsible to announce to the world that your app was vibe coded. It's like putting a target on your back for hackers.
> But at the same time, he was able to prove out a viable business in a matter of a few months with no engineering background and no technical capability.
Is that your takeaway? My takeaway is that he was able to prove that paying nothing for s/ware development is a viable strategy to outcompete businesses who pay for s/ware development.
I mean, by that measure, I can "prove" a viable market for ride-sharing that charges 50% of what Uber, et al charges. All I have to do is have the drivers drive for free.
> Now he's hiring a developer to shore it up.
I would bet good money that that is going to go badly too, unless his instructions to the developer is "Do whatever is necessary, including rewriting from scratch if that is necessary", and the reason I say this is because the vibe-coded apps I looked at were all very hard to follow.
Everyone is slamming you but the reality is that you could use AI models + a competent developer or security engineer to _very_ quickly shore up the entire codebase and fix every single hole -- getting it to a place where it's comparable with everything else out there. It's really not that hard (and there is already a bit of research around the defensive coding capabilities of tools like Codex and Claude Code)[1].
I have personally taken this approach with web dev, granted I'm a very senior developer. First, develop features, then ask a larger/smarter model (o3, o3-pro, gemini-2.5 pro) to analyze the entire codebase (in sections if needed) and surface every security issue, vulnerability, attack vector, etc. I then pass that back to agents to execute refactors that clean up the code. Repeat until all your keys are in the proper place, all your calls are secured, all your endpoints are locked down, all your db calls are sanitized, etc etc etc.
Now, this should have been done PRIOR to release and would have only taken a few more days (depending on app complexity and the skill of the developer).
[1]: https://arxiv.org/html/2505.15216 - "OpenAI Codex CLI: o3-high, OpenAI Codex CLI: o4-mini, and Claude Code are more capable at defense, achieving higher Patch scores of 90%, 90%, and 87.5%"
This approach to security is backwards. It's way harder to find security issues than to never include them in the first place. This approach might work for another webapp but I highly doubt a retroactive security analysis is practical for a more involved system.
Yeah. A lot of security issues are design issues, not "I reused a buffer for something else" issues.
Fixing design and/or architecture at a high level usually requires a signficant rewrite; sometimes even a switch in technology stacks.
You don't know what you don't know. How was a non-technical glorified PM supposed to know to ask for these things in the first place? Such technical practices developed over time in the history of software engineering, as problems arose.
This is the main problem with AI and vibe coding right now: it does what you ask (and sometimes does related things in the line of that ask).
It doesn't look at the big picture of multiple entry into the software. For example he had one vulnerability which required a hop through email which would create an entry into a table that ended up elevating permissions temporarily.
Hopefully platforms like Replit, Firebase Studio, et Al one day just include a security audit agent.
Everyone knows that hackers exist and exploit security lapses. Everyone. You might not know the details and such, but you should responsible enough to at least ask if you are taking people's money. I just don't think the ignorance card is plausible here
The only mistake the original developer made is they forgot to write “you are an expert in the field, you make no mistakes and you make your website secure and free of vulnerabilities” at the end of their prompt.
> I think indeed, vibe-coded software in the hands of the inexperienced is instant tech debt. But at the same time, he was able to prove out a viable business in a matter of a few months with no engineering background and no technical capability.
Wait, if there are competitors, how was he able to prove a viable business when there were two viable businesses out there?
In the same way that Figma and Canva had to prove that there was a business model with a browser-first alternative.
They are legacy incumbents using desktop software in an ostendibly solved space.
The question here is whether was appetite for a lighter, web-based solution.
So in the hands of someone whose main expertise is in writing the secure login and data protection part of an application, maybe it is a bit better? At least they could eliminate much of the low hanging fruit. Of course anything put together quickly by a small team is going to be full of vulnerabilities until it gets battle tested and security checked.
An interesting point is that if you ask AI to security audit a codebase it can find the vulnerabilities. But the AI "forget security" when writing new features. This is probably caused by training data and RL.
Using LLMs to code is rapidly converging into "programming with natural language" with all drawbacks Dijkstra foresaw and none of the magic big tech promised.
Seems fair. If the vendor doesn't want to pay for quality software, the customers shouldn't have to pay for bad software.
Will his customers trust him a second time though?
Most customers just don’t care that much, and if it’s a viable business, even losing all the initial customers won’t matter. This is why we are where we are with respect to basic security.
(E.g., early Dropbox went four hours accepting any password for any account, and shortly thereafter somebody got about 30 million of their passwords, and they’re doing just fine.)
"Claude, write a heartfelt apology tweet, downplay the damages, and emphasize that we're working around the clock to fix things."
They trusted him more after he got hacked. He actually got more signups from inbound.
> ZUCK: people just submitted it
> ZUCK: i don’t know why
> ZUCK: they “trust me”
> ZUCK: dumb fucks
sounds like a case of survivorship bias, considering that many try but very, very few succeed.
Which country?
But I'm guessing there are lawsuits incomming with GDPR/US equivalent fines.