Escape’s research team analyzed over 5,600 vibe-coded applications, uncovering more than 2,000 vulnerabilities, 400+ exposed secrets, and 175 instances of personally identifiable information (PII) such as medical records and phone numbers. Vibe coding platforms like Lovable.dev and Base44.com allow non-developers to build applications without needing to write code, leading to a heightened risk of security flaws. The study aimed to identify widespread issues rather than isolated cases, revealing systemic vulnerabilities in applications built by users with little security knowledge. The methodology involved gathering data from various sources, including official launch directories and community forums, to create a dataset of 4,000 applications. The team utilized Shodan to find live instances of these apps and applied a multi-stage curation process to filter out dead links and non-application pages. The analysis focused heavily on Lovable deployments, which dominated the dataset, potentially skewing the findings. Ethical guidelines were followed, excluding educational and health-related domains to respect user privacy. After curating the dataset, the team systematically mapped the attack surfaces of the applications. They identified and classified exposed assets, including hosts, web apps, and APIs, using a layered discovery strategy that involved web crawling and static analysis of JavaScript and HTML. They discovered that anonymous JWT tokens were exposed in JavaScript bundles linked to PostgREST APIs within the Supabase backend, highlighting significant security risks associated with these vibe-coded applications.