One of the most profoundly transformed domains in the wake of the LLM revolution has been code generation, especially the rise of vibe coding, where natural language prompts replace traditional programming. This shift has empowered millions of users with little to no technical background to build fully functional applications with ease.
Platforms like Loveable, Bolt, and Base44 are on the front of this movement - they have enabled the creation of millions of applications spanning from personal tools to enterprises that now rely on these platforms to build internal chatbots, create complex automations, and trust them with sensitive corporate data.
In our mission to find novel AI and cloud risks, Wiz Research has been looking into the security posture of these AI-powered development platforms to identify common vulnerabilities that may impact the industry as a whole – a mission that becomes even more important as these systems and technologies get infused into governments and other critical infrastructure.
Executive Summary
Wiz Research has identified a critical vulnerability affecting the popular vibe coding platform Base44 (recently acquired by Wix following an amazingly rapid rise) which allowed unauthorized access to private applications built by its users.
The vulnerability we discovered was remarkably simple to exploit - by providing only a non-secret app_id value to undocumented registration and email verification endpoints, an attacker could have created a verified account for private applications on their platform.
This effectively bypassed all given authentication controls that Base44 provided, including Single Sign-On (SSO), granting full access to what were intended to be private enterprise applications and the sensitive data they might have contained.
... continue reading