I keep finding vibe coded apps that leak user data, and I'm not even looking for it

A recurring pattern of serious security vulnerabilities in AI-generated (vibe coded) apps is being discovered accidentally. Real examples include a gaming site that returned its entire user database to every client, a content platform exposing unpublished drafts, a tip-submission site leaking submitters' contact info, and a self-hosted tool exposing plaintext passwords via unauthenticated endpoints. The root cause is consistently the same: authorization logic is placed on the frontend rather than enforced server-side, meaning the backend returns all data and trusts the UI to filter it. The author argues this problem will worsen because vibe coding tools reward speed over security, and many non-engineers are shipping apps that handle sensitive data without understanding server-side authorization. Practical advice includes auditing every endpoint as if an attacker will call it, checking network traffic on your own app, and ensuring the server — not the client — enforces data access controls.