THC 2026 - Vibe Coding at Scale: Systematic Discovery of Authorization Failures and Data Exposure

Nohé Hinniger-Forayi (Escape) 🎙️, Gabin Fouquet (Escape) 🎙️, Gabriel Marquet (Escape), Gwendal Mognie (Escape) and Alexandra Charikova (Escape) In this presentation, we showcase how we uncovered over 35,000 vulnerabilities in AI-generated applications exposed on the public internet. We cover the background and motivations behind this study, the methodology we applied, and a high-level overview of our findings including Broken Authentication, exposed secrets, and Personally Identifiable Information (PII) leaks. We then take a deep dive into several critical vulnerabilities, such as zero-click account takeovers and exposed admin payment API secrets. Finally, we conclude with practical mitigation strategies and security guidelines for teams building AI-generated applications.