5,000 Vibe-Coded Apps Are Leaking on the Open Web — and the S3 Analogy Misses the Legal Novelty
RedAccess found over 5,000 exposed apps across the four leading vibe-coding platforms, with roughly 2,000 leaking real PHI, customer chat logs, and internal strategy decks. These aren't misconfigured storage buckets; they're auth logic the platform generated and the user never saw. The S3 analogy that's circulating misses the legal novelty: AWS could credibly disclaim your bucket policy because you wrote it. Lovable, Replit, and Base44 wrote the auth logic that isn't there. That shifts where liability attaches, and the first court to hold a code-generation platform partially liable for a generated vulnerability resets every product roadmap in the category overnight. It's the same verification failure the hedge fund and interpretability stories surface from different angles: the layer that was supposed to enforce quality or security has been dissolved by the technology it was meant to govern. The people building trust infrastructure for that layer, across all three markets, are the ones with a durable position.