Others had only trivial barriers to that access, such as requiring that a visitor sign in with any email address
my company made one of these AI apps, and when I signed up I realized there was no email verification.
so, I made a fake user, with fake credentials, and an email that doesn’t even exist, and it worked. oh, and it has default editing permissions, so I was able to change data in it.
it won’t allow the use of an email outside of the company domain, but here’s the kicker: there’s a pop-up notification that tells you what domain to use.
it’s been 3 weeks, and it hasn’t been deleted yet.
Fml people are so stupid. Claude tells you all these things you basically have to force it to make something so inanely insecure
Oh wait they’re talking about the vibecode platforms i think those are harnesses really, in which case yeah shame on the companies selling these insecure harnesses
Hmm
Wix, wrote in a statement that “Base44 provides users with robust tools to configure their own applications’ security, including access controls and visibility settings.” She added that “disabling those controls is a deliberate, straightforward action, any user can do it
Yeah, people are stupid so i believe this
Archived version?
Edit: asking in part because Wired always gives me the “you’re out of free articles!” message, but also this link throws a 403 at the mo.
Someone posted a fixed link and it opens just fine in a browser with good ad blocking.
Thanks. I must have Saturday morning brain!
