Startups are now the low-hanging fruits for hackers

It’s official. Vibe-coded startups are the new “low-hanging” fruits for hackers. My post 4 days ago have predicted this exact situation. All drivers ID and face pics made public. Why? Because insecure defaults are everywhere if you vibe-code everything. In this case, publicly accessible storage buckets for sensitive info. Could have prevented by a 10-min check. I have experienced it first hand. And I got solutions to minimize your risk FAST. Read here: https://lnkd.in/gWMEUThq | 11 comments on LinkedIn

Last week I asked Cursor to write me a file upload function. (With clear instructions on how to make it secure) Then I realized most startups will get hacked after I saw the code. Spoiler: it was still too insecure. Chat history: Me: Make sure only authorized users can access the files Cursor: Here you go. The code is safe and written with best practices in mind Me: But I can still access those files as a guest! Cursor: Here you go… (repeating the same stuff) Me: But I can still access… After a few more prompts, it finally coded the right thing. But it left me wondering: How many vibe-coders don’t question their AI? And how many of them runs a startup? -- As a pentester, after hacking hundreds of websites, I know how companies’ websites usually get hacked. Those flaws are usually invisible to vulnerability scanners. And you don’t get to know them unless you pay for a pentest. Most startups can’t afford that. And most vibe-coded startups can’t afford NOT doing that. So I might start posting a series of tips about securing vibe-coded web apps ♻️ share and comment if you want to see those (Probably won’t post much if no one wants it 😛)