Source: www.techrepublic.com – Author: Megan Crouse
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.
Base44’s parent company Wix quickly patched the critical vulnerability. Researchers noted that vibe coding on a platform like Base44 can enlarge an app’s attack surface.
Wiz Research discovered a critical vulnerability in the enterprise vibe coding platform Base44, highlighting some of the potential pitfalls for generative AI tools. In a blog post on Tuesday, Wiz Research detailed how a user could create a verified account by bypassing Single-Sign On (SSO) and other authentication protections.
The vulnerability was not exploited in the wild. Website building platform Wix, which acquired Base44 in mid-June, patched the vulnerability within 24 hours after Wiz Research responsibly disclosed it.
How did researchers discover Base44’s vulnerability?
In order to find the vulnerability, Wiz Research started looking for publicly accessible domains. The researchers found two interfaces for Swagger-UI, a tool for visualizing and testing APIs. From there, they discovered two authentication API endpoints were exposed without authentication:
- the api/apps/{app_id}/auth/register for registering a new user by providing email address and password.
- the api/apps/{app_id}/auth/verify-otp for verifying a user by providing a one-time-password.
This meant that, by retrieving a public app_id from any Base44 app’s manifest file or URI and manifest.json file path, an attacker or researcher could register and verify a new user account.
With the app_id value, the Wiz Research team could register a new user account in the Swagger-UI interface and receive a code to verify an account – even in private applications built in Base44.
Do users need to take any action?
Base44 users don’t need to take any action because Wix has already applied the patch; however, applications may have been vulnerable before July 9. Wiz Research said its customers can use the inventory page on the Wiz platform to identify any Base44 applications in their environment.
Wiz Research suggests organizations might perform the following safety checks:
- Review the data > analytics section inside any Base44 application settings for any unusual user visits and registrations to any private applications.
- Add more monitoring for third-party platform access as a general security best practice.
Vibe coding can enlarge attack surfaces
Vibe coding is the practice of using generative AI to write code, debug, or perform other actions for the coder. The user feeds the generative AI natural language prompts instead of working on the code manually.
Wiz Research pointed out that vibe coding introduces a wider attack surface, as apps made with it could be vulnerable to both AI-based threats such as prompt injection attacks and fundamental application security problems. Using a vibe coding platform opens up shared risk, as any vulnerability in the platform could cascade to any app developed on it.
In a recent Stack Overflow survey, 46% of developers said they don’t trust AI tools’ accuracy. Read our coverage of the survey results to learn more.
Megan Crouse
Megan Crouse has a decade of experience in business-to-business news and feature writing, including as first a writer and then the editor of Manufacturing.net. Her news and feature stories have appeared in Military & Aerospace Electronics, Fierce Wireless, TechRepublic, and eWeek. She copyedited cybersecurity news and features at Security Intelligence. She holds a degree in English Literature and minored in Creative Writing at Fairleigh Dickinson University.
Original Post URL: https://www.techrepublic.com/article/news-base44-vibe-coding-vulnerability/
Category & Tags: Security – Security
Views: 2
