AI Security
You vibe coded your SaaS in a weekend. We make sure it does not get hacked on Monday.
Sherlock Forensics audits applications built entirely with AI coding tools including Cursor, Bolt, Lovable, Replit and v0. Common findings include plaintext password storage, client-side authentication, SQL injection, exposed configuration files and missing access controls. Over 20 years of forensic experience. Quick audits from $1,500 CAD. Contact 604.229.1994.
Vibe coding has made it possible for anyone with an idea to ship a working SaaS product in days. The AI handles the code. But the AI does not handle security. Every vibe coded application we have tested has had critical vulnerabilities that would take an attacker minutes to exploit.
What We Find
AI coding tools generate login flows that look complete but skip critical security steps. Missing rate limiting on login endpoints, JWT tokens without expiration, password reset links that never invalidate and session tokens that persist after logout. These are the first things an attacker tests and the last things a vibe coder thinks about.
The most dangerous pattern in vibe coded apps: API endpoints that check whether a user is logged in but never check whether that user should have access to the requested resource. User A can access User B's data by changing an ID in the URL. This is broken access control and it appears in nearly every vibe coded application we test.
AI assistants generate database queries using string concatenation instead of parameterized queries. They build shell commands by pasting user input directly into command strings. The resulting code works perfectly in development and is trivially exploitable in production.
Vibe coded apps frequently contain API keys for Stripe, OpenAI, Supabase and other services hardcoded in client-side JavaScript. The AI puts them there because that is the fastest way to make the feature work. An attacker finds them in seconds using browser developer tools.
AI-generated API endpoints often return entire database records when the frontend only needs two fields. User email addresses, password hashes, internal IDs and billing information leak through overly verbose API responses that no one audited because no one wrote the code.
Default database credentials, debug mode enabled in production, CORS set to allow all origins, missing security headers, verbose error messages exposing stack traces. AI tools ship with defaults that prioritize developer experience over production security.
Scope
| Platform | Common Stack | Typical Risks |
|---|---|---|
| Cursor / Claude Code | Next.js, Supabase, Vercel | Auth bypass, RLS gaps, API key exposure |
| Bolt / Lovable | React, Node.js, Firebase | Client-side auth, missing server validation |
| Replit Agent | Python/Flask, SQLite, Replit hosting | SQL injection, default configs, no HTTPS |
| Windsurf / Others | Variable | Mixed patterns from underlying models |
Pricing
Frequently Asked Questions
Authority Resources
Related
Security audits for AI-generated code from Copilot, Claude and ChatGPT targeting hallucinated packages, weak crypto and injection flaws.
A downloadable checklist covering the baseline security controls every organization should have in place.
Pre-funding security assessments for AI startups covering model APIs, data pipelines and infrastructure hardening.
Get Started
Quick audits from $1,500. Results in 3-5 business days.
Order OnlineTell us what you built, what tools you used and how many users you have. We will scope a quick audit that fits your budget and timeline.
Call 604.229.1994